Firewall problems

Hi there, I am trying to get traefik with LE to work. Traefik is configured properly for TLS but somehow the challenge fails.

level=error msg="Unable to obtain ACME certificate for domains \"www.akashascrolls.com\": unable to generate a certificate for the domains [www.akashascrolls.com]: error: one or more domains had a problem:\n[www.akashascrolls.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n" providerName=myresolver.acme rule="Host(`www.akashascrolls.com`)" routerName=nginx@docker

I have UFW installed and the status is following:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                   # Allow SSH
80/tcp                     ALLOW       Anywhere                   # Allow HTTP
443/tcp                    ALLOW       Anywhere                   # Allow HTTPs

I didn’t have problems with this before I hardened my machine using the ansible galaxy package dev-sec.os-hardening role. I really want to get this to work, can anyone help me?

1 Like

https://letsdebug.net/www.akashascrolls.com/220421 - Your server is dropping IPv6 traffic.

Usually there is a fallback attempt to IPv4 during validation, but due to some limitations in Let’s Encrypt’s validation code, once it hits your HTTP->HTTPS redirect, it ends up stuck on the IPv6 address again, and eventually fails.

You can see how the request chain happens in the “validation record” @ https://acme-v02.api.letsencrypt.org/acme/authz-v3/5925674297.

With ufw, I’m not entirely sure, but I believe it handles v6 rules separately. On my server:

# ufw status
Status: active

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere
443/tcp                    ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
80/tcp (v6)                ALLOW       Anywhere (v6)
443/tcp (v6)               ALLOW       Anywhere (v6)
22/tcp (v6)                ALLOW       Anywhere (v6)
3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.