I've had my setup working properly for over a year now, and I'm not aware of any material changes, but I've been getting the error "Timeout during connect (likely firewall problem)" since 8 September. Just noticed it now because the old cert expired and I got an email. (This is on my home internet, so I don't bother with any kind of alerting system.)
My first thought was maybe my ISP started blocking port 80, but a) I have "business class" internet service from my ISP, and I'm told they're not blocking anything, and b) while certbot is running and waiting for a response, I can successfully access the file under
.well-known/acme-challenge/ over HTTP from outside my network from three places: a VPS in a datacenter in Fremont, CA; an EC2 instance in AWS's us-east-1 region; and my phone while it's connected only to its cellular network.
My next thought was some other kind of selective filtering, but the only thing filtering port 80/443 on my side is fail2ban running on the web host. There are currently no bans in place, and nothing is filtering on the router (which forwards to the internal host).
Finally I checked the nginx log while manually running the renew command, and it does seem like something is getting through, despite the failure:
22.214.171.124 - - [03/Oct/2021:13:30:29 -0700] "GET /.well-known/acme-challenge/k2IxPNp0yl9Axvtvu3dpXKAO86wZ2o6TittMgbWE9Gs HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Update: I also tried passing
--test-cert to certbot to use LE's staging environment. This time, LE successfully made three requests to my webserver (2 from US IPs, one from a DE IP), but I guess it wanted to make more requests, as it still failed.
My domain is: kelnos.spurint.org
I ran this command:
It produced this output:
Attempting to renew cert (kelnos.spurint.org) from /etc/letsencrypt/renewal/kelnos.spurint.org.conf produced an unexpected error: Failed authorization procedure. kelnos.spurint.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://kelnos.spurint.org/.well-known/acme-challenge/MClz0ibf9GmGoX2En2t-BZOtIdS7bMipjbtstqVp220: Timeout during connect (likely firewall problem). Skipping.
My web server is (include version): nginx 1.14.2-2+deb10u4
The operating system my web server runs on is (include version): Raspberry Pi OS (buster)
My hosting provider, if applicable, is: n/a (self-hosted at home)
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): certbot 0.31.0