Firewall blocking traffic from let's encrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: khk9dsr16.ims.dev.tdc.dk

I ran this command: certbot certonly --standalone -d khk9dsr16.ims.dev.tdc.dk -v

It produced this output:
certbot certonly --standalone -d khk9dsr16.ims.dev.tdc.dk -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for khk9dsr16.ims.dev.tdc.dk
Performing the following challenges:
http-01 challenge for khk9dsr16.ims.dev.tdc.dk
Waiting for verification...
Challenge failed for domain khk9dsr16.ims.dev.tdc.dk
http-01 challenge for khk9dsr16.ims.dev.tdc.dk

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: khk9dsr16.ims.dev.tdc.dk
Type: connection
Detail: 188.181.136.22: Fetching http://khk9dsr16.ims.dev.tdc.dk/.well-known/acme-challenge/9hcOkCzvUbG7NORYUS9Pnoe7REr7nhI7ZRprFep_M4c: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): I am using standalone webserver

The operating system my web server runs on is (include version): RHEL 8.x

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 3.0.1

Hi! Something on your server (or other things in your network (firewalls, routers), or network upstream (e.g. your ISP)) block traffic from Let's Encrypt. And basically the rest of the internet:

Is there any geographical filtering somewhere on your side?

2 Likes

Hi Nekit,

The fire wall rules are set to allow traffic from acme-v02.api.letsencrypt.org only on port 80. Is it a problem?

Yes, it's a problem. That's an inbound endpoint for LE API (which is behind Cloudflare these days). LE validates ownership from their own equipment in the US, and multiple AWS regions around the world. LE chose to not disclose the IPs of validators: FAQ - Let's Encrypt

Edit: if you have a very strict firewall, you have a few options:

  • If your firewall is a WAF: open /.well-known/acme-challenge/* path for the whole internet
  • If it's a regular firewall: at the renewal time, open up your port 80 to the entire internet and close right after
  • Switch to DNS-01 challenge
5 Likes

For some description of how and why Let's Encrypt checks from many places around the world, and some ideas for what you need to allow, you may find this post helpful:

4 Likes