Failed to create or renew certificate with timeout

Hello,
I can't get Let's Encrypt certificate with certbot, http challenge and nginx plugin (or manually).
Certbot send me this error : Timeout during connect (likely firewall problem)
But when I try to get the file with wget and the url from an server on Internet, I'm able to get the wanted content.

My domain is:
example with home.xoddark.com

I ran this command:
certbot certonly --manual

It produced this output:
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
But as I say, when I manual check from an other computer connected to Internet, I'm able to get the result wanted to validate challenge

certbot run on an lxc container with Alpine Linux v3.14 who run nginx/1.20.2
Nginx is used here as reverseproxy, and work correctly.

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.16.0

Thank for help me to better understand the problem, have for information du debug the problem.

1 Like

Hi @xoddark, and welcome to the LE community forum :slight_smile:

That usually indicates there is some device that is blocking, at least, some of the inbound HTTP requests.
I'm able to reach your nginx server, so it isn't blocking all requests:

curl -Ii http://home.xoddark.com/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 28 Jun 2022 13:29:26 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://home.xoddark.com/
4 Likes

Works from here too.

Maybe regional blocking or blocking of certain providers/CDNs.

4 Likes

Thank's for you respons.
Do you know how I can investigate about what is blocking the request ?
Note: the lxc container is on a turris omnia router (OpenWRT based OS).

1 Like

And after enable login of firewall on router, a tried again, renewing work ...
It's not the first time than it's not work, and suddenly work without being able to understand.
It's very annoying, especially because auto-renew seems to not work.
It's like I need to connect to router, do some stuff, and after this it's work again ...

Any idea to continue investigation ?

1 Like

One idea is to look for an option in the router that does DDoS protection or some call it "smart blocking" or similar. Maybe rebooting the router resets its history?

Let's Encrypt will make several identical requests from different parts of the world simultaneously. Some overly sensitive firewalls see this as an attack and block requests. Normally when this happens the error message is a little different but worth looking at.

I used the Let's Debug test site and saw it fail and now see it's working.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.