HTTP-01 ...Timeout during connect (likely firewall problem)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bread365.com

I ran this command: certbot -v

It produced this output:

`[root@bread365 ~]# certbot -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate and install certificates?


1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.


1: bread365.com
2: towniebread.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for bread365.com
Performing the following challenges:
http-01 challenge for bread365.com
Waiting for verification...
Challenge failed for domain bread365.com
http-01 challenge for bread365.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: bread365.com
Type: connection
Detail: 47.181.10.189: Fetching http://bread365.com/.well-known/acme-challenge/RKDwpepav4UnfRPWiiqj9qLNXQ0KOkbOEijjy3XL_rY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
`

My web server is (include version):
[Beelink SER5 MAX Mini PC, AMD Ryzen 7 5800H(7nm, 8C/16T) up to 4.4GHz, Mini Computer 32GB DDR4 RAM 500GB NVME SSD,]

The operating system my web server runs on is (include version): Rocky Linux 9.3

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Sometime, command line or WEBMIN

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6.0

My network is as follows:
I host my DNS on GoDaddy so I know DNS validation will NOT work.

47.181.10.189 - External IP

Goes through my router/firewall and gets addressed to my internal ip 192.168.2.222 My firewall/router will only route via IP it will not look at the name bread365.com only knows to route the ip

I can access my web server http://bread365.com via port 80 everything works on the virtual hosts. I have 2 set up but currently only setting up one for SSL. The other will be done when I move that to site to this new server at a later date.

The firewall on the Rocky Linux box has both port/service 80(http) and 443(https) set to ALLOW

in my HTTPD virtual host config
I have tried ANY for IP address or 192.168.2.222 - both fail
I've tried ANY for port or 80 - both fail.

I have the full letsencrypt.log file but nothing in there helps me figure out where its failing.

I do not see any requests coming into the access_log/ssl_access_log files for the web server from letsencrypt. I do see my requests coming in if I browse the site.

This isn't hard so I'm at a loss of why I can't figure it out - ha ha I've done it on few hosted sites without any problem along with others I have hosted.

Any help would be appreciated.

Welcome @AndyW

Sadly, connections from the public internet don't work. The place to start is double-check your router. The Let's Debug website is helpful to test comms on new servers.

Can you connect to that domain from outside your own network? Like with a mobile phone and wifi disabled to use your carrier's network?

Also, are you sure your ISP allows inbound connections on port 80 (and/or 443)? Some residential ISP's do not.

2 Likes

OMG, this is weird. I have a business line so the ip's work in both direction, and the IP above and below work through that same router. THANK YOU. This gives me new leads to go look at. I'll let you know what I find. Never thought of using web tools to test my site. Now I am. Thanks I'll update what foot I hit :wink:

3 Likes

Sorry this was totally me --- my web server was NOT accessible via the internet. You can close this issue

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.