Http challenge - Timeout during connect (likely firewall problem) - but wget can download

Steps

1.

sudo certbot certonly --manual --server https://acme-staging-v02.api.letsencrypt.org/directory -d example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Requesting a certificate for example.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Create a file containing just this data:

DrsW8QP_tLA-EqF5gSSskCG28ABvT5DjCN735NoRRZo.aMXjy_i5LN2onTtst_BZpn_EzQXELUYDqe9K9jpgLaw

And make it available on your web server at this URL:

http://example.com/.well-known/acme-challenge/DrsW8QP_tLA-EqF5gSSskCG28ABvT5DjCN735NoRRZo

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Press Enter to Continue

2.

Then I do the following in another terminal, same folder:

2.1
echo "DrsW8QP_tLA-EqF5gSSskCG28ABvT5DjCN735NoRRZo.aMXjy_i5LN2onTtst_BZpn_EzQXELUYDqe9K9jpgLaw" > .well-known/acme-challenge/DrsW8QP_tLA-EqF5gSSskCG28ABvT5DjCN735NoRRZo

2.2 Start web server on port 80
sudo python3 -m http.server 80

2.3 Test that I can download the file from another machine
wget http://example.com/.well-known/acme-challenge/DrsW8QP_tLA-EqF5gSSskCG28ABvT5DjCN735NoRRZo

3

I press "Enter" in the terminal running certbot - and I get:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: example.com
  Type:   connection
  Detail: x.x.x.x: Fetching http://example.com/.well-known/acme-challenge/DrsW8QP_tLA-EqF5gSSskCG28ABvT5DjCN735NoRRZo: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Why is this not working when I can actually get the file using wget?

Well, that means that while the computer you're testing from can get to it, other computers on the Internet (such as Let's Encrypt's validation servers) can't. Maybe your firewall blocks connections from certain countries, or the port isn't actually open to the world like you think it is.

Without you posting the actual domain name at a time that you have the server running, it's going to be hard for anyone to give you much more specific advice than that.

6 Likes