I receive a "Timeout during connect (likely firewall problem) message when I try to renew the certificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
noekis-pm.lknoe.at

I ran this command:
sudo certbot --standalone --config /path/to/config

It produced this output:
Timeout during connect (likely firewall problem)

My web server is (include version):
standalone (1.22.0)

The operating system my web server runs on is (include version):
CentOS 8

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1.22.0

Further Information: When I issue the command curl -v noekis-pm.lknoe.at/.well-known/acme-challange during the renewal process from another machine outside of my network, I receive the following response, which leads me to the consulsion that it's not a firewall issue; furthermore when I start my webserver, port 80 und 443 are reachable.

> GET /.well-known/acme-challange HTTP/1.1
> Host: noekis-pm.lknoe.at
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 404 Not Found
< Server: BaseHTTP/0.6 Python/3.8.10
< Date: Mon, 03 Jan 2022 07:07:55 GMT
< Content-type: text/html
<

I suspect that this issue exists because the IP adresses by which letsencypt tries to contact the server are blocked by our enterprise security team. In order to file a request to whitelist these IPs I need a list of them.

Is there any source of valid IP adresses available?

Thanks in advance for your help.

There is not:

What IP addresses does Let’s Encrypt use to validate my web server?

We don’t publish a list of IP addresses we use to validate, and these IP addresses may change at any time. Note that we now validate from multiple IP addresses.

If you need the IPs being currently used, you can try requesting a certificate for a different domain you control, and look in your webserver access logs. But they will change over time.

Times out for me from my home connection and from a couple of VPS servers.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.