Http-01 challenge gives Timeout after connect

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mrtosho.com

I ran this command: certbot certonly --manual --preferred-challenges http --dry-run -w /var/www/nextcloud -d mrtosho.com -d www.mrtosho.com -d cloud.mrtosho.com -d api.mrtosho.com

It produced this output:
Domain: mrtosho.com
Type: connection
Detail: Fetching
https://mrtosho.com/.well-known/acme-challenge/Y1SqH1lyLa7ttge_FI4OEDTDaP_i0ehM6bgSOcxlCKo:
Timeout after connect (your server may be slow or overloaded)

My web server is (include version):
Apache/2.4.25 (Raspbian)

The operating system my web server runs on is (include version):
Raspbian GNU/Linux 9 (stretch)

My hosting provider, if applicable, is:
NameCheap

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

More Information:
I have checked and Port 80 and 443 are open at my router and the site is otherwise working fine. I have previously been renewing with dns-01 and now I want to start renewing with http-01.

When I step through the http-01 challenge interactively I deploy the files in the .well-known/acme-challenge folder and then successfully test that the file displays in a browser.

I have a http to https rewrite rule Apache Virtualhost.

Here it is:

ServerName cloud.mrtosho.com
ServerAlias mrtosho.com www.mrtosho.com api.mrtosho.com
DocumentRoot /var/www/nextcloud

LogLevel warn
ErrorLog /var/www/mrtosho/logs/http-rewrite-error.log
CustomLog /var/www/mrtosho/logs/http-rewrite-access.log combined	

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{HTTPS} !=on
	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>

Maybe this is interfering but I don’t think so because when I enter the http challenge address in the browser it rewrites to the https address and I see the file in the browser.

Peviously I have been using the dns-01 challenge and I want to start using the http-01 challenge instead. I have a domainname.conf file in etc/letsencrypt/renewal and it is still configured for the dns-01 challenge maybe this is a problem?

Here is the output in /var/log/letsencrypt/letsencrypt.log
(I had to delete some of the lines because this topic post contained too many characters!)

2019-07-16 23:08:41,733:INFO:certbot.auth_handler:Waiting for verification...
2019-07-16 23:08:41,736:DEBUG:acme.client:JWS payload:
b'{\n  "type": "http-01",\n  "resource": "challenge",\n  "keyAuthorization": "ht9UjLCqPtXZr17jMycmuoKSRrrxsQLecYDOHcGO5iI.NFqAlQBQYaW2gfi7d4rZTxgNvoJNU8I3WMS8G1Rwbk0"\n}'
2019-07-16 23:08:41,797:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/i7rDGaUldM2OWzBzlqXmuPVES-bOwXscQhtAigUwgk0/330655145:
{
  "signature": "OziB7VVGx30KqXA54YwPrHvVakNdmtt7_6oCPE5xG1VF6HXLD1TitErfu5KpMxXbbHT198vzYnuKlXy-4fSIG0oC47B8LG6COckLdSaDnEUzwfdKZ5X-8FDKdpEQAW0YFheD0OSBmlXfPfWFeBeHEmh84IkJ5S-B163V8zkD3dT3M45GOEw_DZQb7EUcto2eenj8l6HuIiHvzku9bB-knqLtzZYQuyKu-F9jPLao0Hb6fiuBHONlldIzG8_gckKH11WtPjlgxzjuDabtRpOdkxiUddaM6fb3ibG9TrtMS-2KVVXZoBut2M4ef19MhGQwYiiO8JXmdtK8_tCR4EtAxw",
  "payload": "ewogICJ0eXBlIjogImh0dHAtMDEiLAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogImh0OVVqTENxUHRYWnIxN2pNeWNtdW9LU1JycnhzUUxlY1lET0hjR081aUkuTkZxQWxRQlFZYVcyZ2ZpN2Q0clpUeGdOdm9KTlU4STNXTVM4RzFSd2JrMCIKfQ",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvaTdyREdhVWxkTTJPV3pCemxxWG11UFZFUy1iT3dYc2NRaHRBaWdVd2drMC8zMzA2NTUxNDUiLCAiYWxnIjogIlJTMjU2IiwgIm5vbmNlIjogImRiZjM3dlgyOUFNblVvZGxvZUZfVFk1eHpjR2RLVzk3eDhUY0Nnd3BSajgiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDA4NjUxOCJ9"
}
2019-07-16 23:08:42,004:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/challenge/i7rDGaUldM2OWzBzlqXmuPVES-bOwXscQhtAigUwgk0/330655145 HTTP/1.1" 200 230
2019-07-16 23:08:42,007:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 10086518
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz/i7rDGaUldM2OWzBzlqXmuPVES-bOwXscQhtAigUwgk0>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/i7rDGaUldM2OWzBzlqXmuPVES-bOwXscQhtAigUwgk0/330655145
Replay-Nonce: CYulBGFDSXkZUY_-YiwoX--1lPLeAx8iyEC6UPC4OO4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jul 2019 22:08:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jul 2019 22:08:41 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/i7rDGaUldM2OWzBzlqXmuPVES-bOwXscQhtAigUwgk0/330655145",
  "token": "ht9UjLCqPtXZr17jMycmuoKSRrrxsQLecYDOHcGO5iI"
}
2019-07-16 23:08:42,007:DEBUG:acme.client:Storing nonce: CYulBGFDSXkZUY_-YiwoX--1lPLeAx8iyEC6UPC4OO4
2019-07-16 23:08:42,010:DEBUG:acme.client:JWS payload:
b'{\n  "type": "http-01",\n  "resource": "challenge",\n  "keyAuthorization": "ESQ_llBaZvSlnGDCmxxgR_gpuBT4SwO9EVHhtb1tpCI.NFqAlQBQYaW2gfi7d4rZTxgNvoJNU8I3WMS8G1Rwbk0"\n}'
2019-07-16 23:08:42,041:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gb4joEtP8Jg4Dwer7Nujdc7geAc1pcNIzzxX4U2qtrQ/330655148:
{
  "signature": "hS9fUq4Is9-nwNi9ypifLfgkb1pjVScRvqs98nt2AEYliWYAfjnb5eucb5Hpn4_H10DUVAK7wFWchAwjjxgWnJ3JXVihRJniyYv-NvD15B8zJZSApzVtYtMmXYj5m707Bq_LYHovzp-oYvHiwRaEQ57e6cuYKPemBpIwplCKi3-Q-gSQ0rPB2_MRyJMvDmJ9iyGCMmEeAk9giQCVrmwh6nOqlEXZlc6nlEJtekXCp8IkR0yRUDqLgxeTKz_XKu47yrWw3lI0lVREQqLOorEooDIdesZj2jlMAdQBpLJ8AMwAzV_HP_9u4NLORzhkGKypj8DoGhFTBZ_FrQIsIRp7zA",
  "payload": "ewogICJ0eXBlIjogImh0dHAtMDEiLAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIkVTUV9sbEJhWnZTbG5HRENteHhnUl9ncHVCVDRTd085RVZIaHRiMXRwQ0kuTkZxQWxRQlFZYVcyZ2ZpN2Q0clpUeGdOdm9KTlU4STNXTVM4RzFSd2JrMCIKfQ",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvZ2I0am9FdFA4Smc0RHdlcjdOdWpkYzdnZUFjMXBjTkl6enhYNFUycXRyUS8zMzA2NTUxNDgiLCAiYWxnIjogIlJTMjU2IiwgIm5vbmNlIjogIkNZdWxCR0ZEU1hrWlVZXy1ZaXdvWC0tMWxQTGVBeDhpeUVDNlVQQzRPTzQiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDA4NjUxOCJ9"
}
2019-07-16 23:08:42,253:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/challenge/gb4joEtP8Jg4Dwer7Nujdc7geAc1pcNIzzxX4U2qtrQ/330655148 HTTP/1.1" 200 230
2019-07-16 23:08:42,256:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 10086518
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz/gb4joEtP8Jg4Dwer7Nujdc7geAc1pcNIzzxX4U2qtrQ>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gb4joEtP8Jg4Dwer7Nujdc7geAc1pcNIzzxX4U2qtrQ/330655148
Replay-Nonce: a1L-7uMWM7TFICKHK7iSckPuV_wvgwD3BkhtS_CLIsE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jul 2019 22:08:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jul 2019 22:08:42 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gb4joEtP8Jg4Dwer7Nujdc7geAc1pcNIzzxX4U2qtrQ/330655148",
  "token": "ESQ_llBaZvSlnGDCmxxgR_gpuBT4SwO9EVHhtb1tpCI"
}
2019-07-16 23:08:42,257:DEBUG:acme.client:Storing nonce: a1L-7uMWM7TFICKHK7iSckPuV_wvgwD3BkhtS_CLIsE
2019-07-16 23:08:42,259:DEBUG:acme.client:JWS payload:
b'{\n  "type": "http-01",\n  "resource": "challenge",\n  "keyAuthorization": "Y1SqH1lyLa7ttge_FI4OEDTDaP_i0ehM6bgSOcxlCKo.NFqAlQBQYaW2gfi7d4rZTxgNvoJNU8I3WMS8G1Rwbk0"\n}'
2019-07-16 23:08:42,290:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/rK1by_EIOledVXdCeQayQgf0dw70HjB94DUgpAxMbkA/330655152:
{
  "signature": "ZrYSgpkPWNEgVpKr1YqUR1cSkGkcJeb4_mKEHrnVNkwzGt58U3QfiTnQwN0jl5RDFHYYbn6bC_BDoxI587qiosHFeymRDroCkFmzCBNixlPfowRXV619INVkDwcTGVb2BuemoDRTdm-pahJ17l-F5inxxF9px0KMl9e_BUF7xPDZ03hGi8Zgg_tD7m7uIhQYRwADhTYFye8hy5gi1Y8_DhfI6Wa3zpQPwKO2PSGOeu3LF6AbDF22GyVfX4jTXeLUmt684IrDN23yHCnan_jb-66X_EbNsSjCukTqi9v5A-UOKfUVOH1cW65jbqcLEQEUo-3DWV8K8NZYNIbgVzuvVA",
  "payload": "ewogICJ0eXBlIjogImh0dHAtMDEiLAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIlkxU3FIMWx5TGE3dHRnZV9GSTRPRURURGFQX2kwZWhNNmJnU09jeGxDS28uTkZxQWxRQlFZYVcyZ2ZpN2Q0clpUeGdOdm9KTlU4STNXTVM4RzFSd2JrMCIKfQ",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvcksxYnlfRUlPbGVkVlhkQ2VRYXlRZ2YwZHc3MEhqQjk0RFVncEF4TWJrQS8zMzA2NTUxNTIiLCAiYWxnIjogIlJTMjU2IiwgIm5vbmNlIjogImExTC03dU1XTTdURklDS0hLN2lTY2tQdVZfd3Znd0QzQmtodFNfQ0xJc0UiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDA4NjUxOCJ9"
}
2019-07-16 23:08:42,496:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/challenge/rK1by_EIOledVXdCeQayQgf0dw70HjB94DUgpAxMbkA/330655152 HTTP/1.1" 200 230
2019-07-16 23:08:42,498:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 10086518
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz/rK1by_EIOledVXdCeQayQgf0dw70HjB94DUgpAxMbkA>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/rK1by_EIOledVXdCeQayQgf0dw70HjB94DUgpAxMbkA/330655152
Replay-Nonce: eiVsTPQS4AU6UwOXyAzkPwfbApUp7Tiux-anM3Yw59w
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jul 2019 22:08:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jul 2019 22:08:42 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/rK1by_EIOledVXdCeQayQgf0dw70HjB94DUgpAxMbkA/330655152",
  "token": "Y1SqH1lyLa7ttge_FI4OEDTDaP_i0ehM6bgSOcxlCKo"
}
2019-07-16 23:08:42,499:DEBUG:acme.client:Storing nonce: eiVsTPQS4AU6UwOXyAzkPwfbApUp7Tiux-anM3Yw59w
2019-07-16 23:08:42,501:DEBUG:acme.client:JWS payload:
b'{\n  "type": "http-01",\n  "resource": "challenge",\n  "keyAuthorization": "JfjKltIWcB3tEVm7l6VyFyLG1IBd9cVB__zWH6fAFwA.NFqAlQBQYaW2gfi7d4rZTxgNvoJNU8I3WMS8G1Rwbk0"\n}'
2019-07-16 23:08:42,564:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/challenge/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs/330655155:
{
  "signature": "MdI-hPK1etWPJysFNXk695brDQVBIse4g12ZbpaIHkjbt9VyWW1_F54Vboy13YcDTvFXL2QFxTE7XCtaqoKHHZdrKEaevrkdNFf2CKzgcyasMy5V_6TEaeGae5MORdBXfUNapzRlesIeMisg13gMr0Ath5G55Y4e9bGM1X--cUTnHMXeibVh6O83QLLway1HQ_cF6vOaVXNlqjFROkYTRM4j9L9-ecGZF6HG03k8TyTqfHL-A3D3kAyO5AgLzpLWCsrAbCApb6zxYFy9a6Lq0ryNMptPouoEyZ7Fy6uJgfwfKwlLGLmhwZ6mI3T_e-zo2AMQMSefdWrOhTPq9TB8iw",
  "payload": "ewogICJ0eXBlIjogImh0dHAtMDEiLAogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJrZXlBdXRob3JpemF0aW9uIjogIkpmaktsdElXY0IzdEVWbTdsNlZ5RnlMRzFJQmQ5Y1ZCX196V0g2ZkFGd0EuTkZxQWxRQlFZYVcyZ2ZpN2Q0clpUeGdOdm9KTlU4STNXTVM4RzFSd2JrMCIKfQ",
  "protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2Uva3BNbnRGZ2tkaG44b0o1YXJSVkhnTVJJaElNUzlSWUlDc19GdTFDM3BVcy8zMzA2NTUxNTUiLCAiYWxnIjogIlJTMjU2IiwgIm5vbmNlIjogImVpVnNUUFFTNEFVNlV3T1h5QXprUHdmYkFwVXA3VGl1eC1hbk0zWXc1OXciLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xMDA4NjUxOCJ9"
}
2019-07-16 23:08:42,775:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/challenge/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs/330655155 HTTP/1.1" 200 230
2019-07-16 23:08:42,778:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 230
Boulder-Requester: 10086518
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/challenge/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs/330655155
Replay-Nonce: NCBgP037pGRWRBwalZM3pFA43Pxe3_jbGBNLeQmdgX8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jul 2019 22:08:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jul 2019 22:08:42 GMT
Connection: keep-alive

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs/330655155",
  "token": "JfjKltIWcB3tEVm7l6VyFyLG1IBd9cVB__zWH6fAFwA"
}
2019-07-16 23:08:42,779:DEBUG:acme.client:Storing nonce: NCBgP037pGRWRBwalZM3pFA43Pxe3_jbGBNLeQmdgX8
2019-07-16 23:08:45,783:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/i7rDGaUldM2OWzBzlqXmuPVES-bOwXscQhtAigUwgk0.
2019-07-16 23:08:45,993:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/i7rDGaUldM2OWzBzlqXmuPVES-bOwXscQhtAigUwgk0 HTTP/1.1" 200 928
2019-07-16 23:08:45,998:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 928
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jul 2019 22:08:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jul 2019 22:08:45 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "api.mrtosho.com"
  },
  "status": "pending",
  "expires": "2019-07-23T22:05:43Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/i7rDGaUldM2OWzBzlqXmuPVES-bOwXscQhtAigUwgk0/330655144",
      "token": "UnCuqUCPG6MeLiGIzzz9fuoz6rCIwYKtp_PjuO-ahLc"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/i7rDGaUldM2OWzBzlqXmuPVES-bOwXscQhtAigUwgk0/330655145",
      "token": "ht9UjLCqPtXZr17jMycmuoKSRrrxsQLecYDOHcGO5iI"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/i7rDGaUldM2OWzBzlqXmuPVES-bOwXscQhtAigUwgk0/330655146",
      "token": "MBIRDSq590VZo5vVDvLH2lUINTdT9kcFOI88fgFYE2U"
    }
  ]
}
2019-07-16 23:08:46,004:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/gb4joEtP8Jg4Dwer7Nujdc7geAc1pcNIzzxX4U2qtrQ.
2019-07-16 23:08:46,250:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/gb4joEtP8Jg4Dwer7Nujdc7geAc1pcNIzzxX4U2qtrQ HTTP/1.1" 200 930
2019-07-16 23:08:46,255:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 930
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jul 2019 22:08:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jul 2019 22:08:46 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "cloud.mrtosho.com"
  },
  "status": "pending",
  "expires": "2019-07-23T22:05:43Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gb4joEtP8Jg4Dwer7Nujdc7geAc1pcNIzzxX4U2qtrQ/330655147",
      "token": "dkKixW3FrJjAPGoR5yZNttVP245JgIVhuNhvtWKwdRA"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gb4joEtP8Jg4Dwer7Nujdc7geAc1pcNIzzxX4U2qtrQ/330655148",
      "token": "ESQ_llBaZvSlnGDCmxxgR_gpuBT4SwO9EVHhtb1tpCI"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/gb4joEtP8Jg4Dwer7Nujdc7geAc1pcNIzzxX4U2qtrQ/330655149",
      "token": "HfjQkRv4Jix-AtyTR7UfksgkoKb6W5J3YiH7T5z-xJI"
    }
  ]
}
2019-07-16 23:08:46,261:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/rK1by_EIOledVXdCeQayQgf0dw70HjB94DUgpAxMbkA.
2019-07-16 23:08:46,479:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/rK1by_EIOledVXdCeQayQgf0dw70HjB94DUgpAxMbkA HTTP/1.1" 200 924
2019-07-16 23:08:46,484:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 924
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jul 2019 22:08:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jul 2019 22:08:46 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "mrtosho.com"
  },
  "status": "pending",
  "expires": "2019-07-23T22:05:43Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/rK1by_EIOledVXdCeQayQgf0dw70HjB94DUgpAxMbkA/330655150",
      "token": "umLQ8GnUu5HnUu5trterqMAsU4izWv61P2tzPGpwWWE"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/rK1by_EIOledVXdCeQayQgf0dw70HjB94DUgpAxMbkA/330655151",
      "token": "LAh8YVvXh3yf9wBxQYluo5RSOg7JnavPDfG-8r6RIIs"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/rK1by_EIOledVXdCeQayQgf0dw70HjB94DUgpAxMbkA/330655152",
      "token": "Y1SqH1lyLa7ttge_FI4OEDTDaP_i0ehM6bgSOcxlCKo"
    }
  ]
}
2019-07-16 23:08:46,490:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs.
2019-07-16 23:08:46,710:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs HTTP/1.1" 200 928
2019-07-16 23:08:46,715:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 928
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jul 2019 22:08:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jul 2019 22:08:46 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "www.mrtosho.com"
  },
  "status": "pending",
  "expires": "2019-07-23T22:05:43Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs/330655153",
      "token": "LkBu53W7hyCjAeuMHV4Yb5G3myk7xENJtR__Oo18ksQ"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs/330655154",
      "token": "KmnG4SE0lCkqgPxBHQdOj95rugd9OMbzRAGjjh2gYAo"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs/330655155",
      "token": "JfjKltIWcB3tEVm7l6VyFyLG1IBd9cVB__zWH6fAFwA"
    }
  ]
}

2019-07-16 23:08:54,383:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs.
2019-07-16 23:08:54,598:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs HTTP/1.1" 200 1889
2019-07-16 23:08:54,603:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1889
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jul 2019 22:08:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jul 2019 22:08:54 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "www.mrtosho.com"
  },
  "status": "invalid",
  "expires": "2019-07-23T22:05:43Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs/330655153",
      "token": "LkBu53W7hyCjAeuMHV4Yb5G3myk7xENJtR__Oo18ksQ"
    },
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs/330655154",
      "token": "KmnG4SE0lCkqgPxBHQdOj95rugd9OMbzRAGjjh2gYAo"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching https://www.mrtosho.com/.well-known/acme-challenge/JfjKltIWcB3tEVm7l6VyFyLG1IBd9cVB__zWH6fAFwA: Timeout after connect (your server may be slow or overloaded)",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/kpMntFgkdhn8oJ5arRVHgMRIhIMS9RYICs_Fu1C3pUs/330655155",
      "token": "JfjKltIWcB3tEVm7l6VyFyLG1IBd9cVB__zWH6fAFwA",
      "validationRecord": [
        {
          "url": "http://www.mrtosho.com/.well-known/acme-challenge/JfjKltIWcB3tEVm7l6VyFyLG1IBd9cVB__zWH6fAFwA",
          "hostname": "www.mrtosho.com",
          "port": "80",
          "addressesResolved": [
            "xx.xx.xx.xx"
          ],
          "addressUsed": "xx.xx.xx.xx"
        },
        {
          "url": "https://www.mrtosho.com/.well-known/acme-challenge/JfjKltIWcB3tEVm7l6VyFyLG1IBd9cVB__zWH6fAFwA",
          "hostname": "www.mrtosho.com",
          "port": "443",
          "addressesResolved": [
            "xx.xx.xx.xx"
          ],
          "addressUsed": "xx.xx.xx.xx"
        }
      ]
    }
  ]
}
2019-07-16 23:08:54,611:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.mrtosho.com
Type:   connection
Detail: Fetching https://www.mrtosho.com/.well-known/acme-challenge/JfjKltIWcB3tEVm7l6VyFyLG1IBd9cVB__zWH6fAFwA: Timeout after connect (your server may be slow or overloaded)

Domain: mrtosho.com
Type:   connection
Detail: Fetching https://mrtosho.com/.well-known/acme-challenge/Y1SqH1lyLa7ttge_FI4OEDTDaP_i0ehM6bgSOcxlCKo: Timeout after connect (your server may be slow or overloaded)

Domain: cloud.mrtosho.com
Type:   connection
Detail: Fetching https://cloud.mrtosho.com/.well-known/acme-challenge/ESQ_llBaZvSlnGDCmxxgR_gpuBT4SwO9EVHhtb1tpCI: Timeout after connect (your server may be slow or overloaded)

Domain: api.mrtosho.com
Type:   connection
Detail: Fetching https://api.mrtosho.com/.well-known/acme-challenge/ht9UjLCqPtXZr17jMycmuoKSRrrxsQLecYDOHcGO5iI: Timeout after connect (your server may be slow or overloaded)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2019-07-16 23:08:54,616:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.mrtosho.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.mrtosho.com/.well-known/acme-challenge/JfjKltIWcB3tEVm7l6VyFyLG1IBd9cVB__zWH6fAFwA: Timeout after connect (your server may be slow or overloaded), mrtosho.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://mrtosho.com/.well-known/acme-challenge/Y1SqH1lyLa7ttge_FI4OEDTDaP_i0ehM6bgSOcxlCKo: Timeout after connect (your server may be slow or overloaded), cloud.mrtosho.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://cloud.mrtosho.com/.well-known/acme-challenge/ESQ_llBaZvSlnGDCmxxgR_gpuBT4SwO9EVHhtb1tpCI: Timeout after connect (your server may be slow or overloaded), api.mrtosho.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://api.mrtosho.com/.well-known/acme-challenge/ht9UjLCqPtXZr17jMycmuoKSRrrxsQLecYDOHcGO5iI: Timeout after connect (your server may be slow or overloaded)

2019-07-16 23:08:54,617:DEBUG:certbot.error_handler:Calling registered functions
2019-07-16 23:08:54,618:INFO:certbot.auth_handler:Cleaning up challenges
2019-07-16 23:08:54,620:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1225, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 392, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 335, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 371, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 161, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 232, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.mrtosho.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.mrtosho.com/.well-known/acme-challenge/JfjKltIWcB3tEVm7l6VyFyLG1IBd9cVB__zWH6fAFwA: Timeout after connect (your server may be slow or overloaded), mrtosho.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://mrtosho.com/.well-known/acme-challenge/Y1SqH1lyLa7ttge_FI4OEDTDaP_i0ehM6bgSOcxlCKo: Timeout after connect (your server may be slow or overloaded), cloud.mrtosho.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://cloud.mrtosho.com/.well-known/acme-challenge/ESQ_llBaZvSlnGDCmxxgR_gpuBT4SwO9EVHhtb1tpCI: Timeout after connect (your server may be slow or overloaded), api.mrtosho.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://api.mrtosho.com/.well-known/acme-challenge/ht9UjLCqPtXZr17jMycmuoKSRrrxsQLecYDOHcGO5iI: Timeout after connect (your server may be slow or overloaded)

I redacted my routers external ip address… I know kinda pointless, anyway, the “addressesResolved” does correctly map to the external ip address of my router.

Of note, it refers to the “Server” as nginx but I have apache2? And further down there is an “Identifier” section that mentions dns but I want to use http… is this a clue to the problem?

How do I get the http-01 challenge to work with my apache?

Cheers,

Flex

Port 443 to your server isn’t working from the outside, e.g. https://letsdebug.net/mrtosho.com/50280

Since your HTTP challenge is redirecting there, it results in a timeout.

Double check your port forwarding, firewalls and that your ISP doesn’t block 443.

1 Like

That’s right, thanks for pointing it out.

When I test from a Wifi hotspot using my phone I can’t connect at all. I don’t understand why that has happened. Usually those sites work fine from outside my LAN so it’s not my ISP.

My router port forwards from external port 443 to internal port 4433 but via a protocol demultiplexer program called SSLH listening on 4433 it routes tls traffic back to internal port 443 that apache is listening on… or at least it should but I see the same timeout in those SSLH logs as well.

I’ll take another look at it tomorrow ! Cheers.

Flex

1 Like

Does anyone on here know about Linux iptables? I think that’s where my problem is…

I have these rules in place on the same machine (Pi 3) that my web server is running on:

iptables -w -t mangle -N SSLH
iptables -w -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -w -t mangle -A OUTPUT --protocol tcp --out-interface eth0 -m multiport --sport 443,4480 --jump SSLH
iptables -w -t mangle -A SSLH --jump MARK --set-mark 0x1
iptables -w -t mangle -A SSLH --jump ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

Their purpose is to enable a proxy to act transparently…so after packets go through the proxy the destination (e.g: my apache server) still sees the originating ip of the requesting client.

I have a port forward rule in my router that forwards external port 443 to internal port 4433. The proxy listens on port 4433 and directs https requests back to apache internal port 443. It’s a protocol demultiplexer so it can distinguish ssh traffic also on port 443 and then forward it to another port, in this case port 4480.

I thought this set up was working fine before but maybe I never tested it fully.

I think these iptable rules cause the timeout… with them in place it works when the http/https request originates from outside my LAN i.e: I can load a webpage on the webserver BUT then I cannot load the same webpage if the request originates from within my LAN, instead I get the timeout.

Likewise if I disable those rules the http/https request works if it originates from INSIDE my LAN but not if it originates from outside my LAN.

I realize this is an issue nothing to do with Letsencrypt after all but if anyone can help much appreciated! I think the iptables rules need to be tweaked…

Cheers,

Flex

Hi @FlexMcMurphy

what happens if you change your router

Port 443 extern -> your webserver port 443 intern

and if you remove all iptables entries? (or deactivate that).

Works your https internal?

Now

your https works external.

Perhaps change your setup step by step.

Hi,

Yes, it does indeed.

I guess with this setup the Certbot http-01 challenge will work for me but I want to keep my set up in place that sends requests through the transparent proxy. But it seems to break things now with the iptables rules. But I had tested it before and it did work if requests originated from outside or inside the lan. Don’t know what might have changed to stop it loading a webpage if the request originated from inside OR outside the lan.

Not sure how to debug from here?

Thanks alot,

Flex

Just want to report that it was indeed my iptables rules that were blocking the http-01 challenge.

There were two problems I believe… unlike the version of the rules I posted above the rules I was using were also routing out-bound traffic from apache port 80 to the loopback interface where they were getting lost and so not returning to the Letsencrypt servers.

Also I added another rule to accept traffic of local origin. Here are my new rules in the unlikely event that anyone needs to see them or will learn anything from them!

iptables -t mangle -N SSLH
iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j SSLH
iptables -t mangle -A OUTPUT -p tcp -d 192.168.1.0/24 -j ACCEPT
iptables -t mangle -A OUTPUT -p tcp -o eth0 -m multiport --sport 443,4480 -j SSLH
iptables -t mangle -A SSLH -j MARK --set-mark 0x1
iptables -t mangle -A SSLH -j ACCEPT
ip rule add fwmark 0x1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100

I also had a http to https rewrite rule in apache that might have been messing things up… not sure though. I made a change to it so it doesn’t re-write the http-01 request challenge to https.

<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteCond %{HTTPS} !=on
	RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge/.{1,}$ [NC]
	RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</IfModule>

Cheers,

Flex

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.