New Certificate - Timeout - Raspberry Pi

Hi.

First: I am running my fritz!box 3490 behind a cable-router (I don’t know if this is important)

I try to set up a cloud-server on my Raspberry Pi.

My domain is: pi-g48-1og.spdns.de

I ran this command: sudo certbot certonly --webroot -w /var/www/html/ -d pi-g48-1og.spdns.de -m cloud666@posteo.de --agree-tos

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pi-g48-1og.spdns.de
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. pi-g48-1og.spdns.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://pi-g48-1og.spdns.de/.well-known/acme-challenge/kDQZkWpV0yuiiGmjJABgHM-g1W5MuoBmsbm2UtlNIAk: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: pi-g48-1og.spdns.de
    Type: connection
    Detail: Fetching
    http://pi-g48-1og.spdns.de/.well-known/acme-challenge/kDQZkWpV0yuiiGmjJABgHM-g1W5MuoBmsbm2UtlNIAk:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): 1.2 2018-11-13-raspbian-stretch-lite

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I am trying since 2 days, but i don’t know what to do.

Thanks for your help!!

Hi @cloud666

your server isn't visible:


Domainname Http-Status redirect Sec. G
http://pi-g48-1og.spdns.de/
77.22.130.187 -14 10.046 T
Timeout - The operation has timed out
https://pi-g48-1og.spdns.de/
77.22.130.187 -14 10.026 T
Timeout - The operation has timed out
http://pi-g48-1og.spdns.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
77.22.130.187 -14 10.030 T
Timeout - The operation has timed out

Three timeouts. Allows your cable provider port 80?

If not, you may use dns-01 - validation, so a dns txt entry is required. But you have to do this again - every 60 - 85 days.

Hi,

Have you setup port forwarding correctly on your router?

Could you please try to open your website using your phone mobile data (instead of using your WiFi) and see if the website would open?

Thank you

Thanks for answering,

Ports I’ve forwarded on my router:
HTTP-Server TCP 80
HTTPS-Server TCP 443

Port 80 is regularly allowed by my provider (Vodafone).

Thanks in advance

Are you 100% sure that 77.22.130.187 is your current IP address?

It seems to be completely unreachable from anywhere, on any port.

Is it possible that Vodafone put you behind CGNAT? Some ISPs have been migrating users to CGNAT recently.

I'm not so firm with such a double setting:

But isn't it required to allow the traffic in the cable router and in the fritz!box?

PS: WinMTR from Berlin:


|------------------------------------------------------------------------------------------|
| WinMTR statistics |

Host - % Sent Recv Best Avrg Wrst Last
fritz.box - 0 42 42 0 0 1 1
217.0.116.6 - 0 42 42 7 8 13 9
217.0.64.82 - 0 42 42 8 10 13 10
b-ea9-i.B.DE.NET.DTAG.DE - 0 42 42 7 7 8 8
217.239.44.18 - 0 42 42 15 16 38 15
80.157.201.146 - 0 41 41 15 16 19 16
ae0-xcr2.fix.cw.net - 0 41 41 14 15 24 24
vodafoneag-gw.fix.cw.net - 0 41 41 15 15 16 15
145.254.1.147 - 0 41 41 19 19 21 20
145.254.1.147 - 0 41 41 19 20 34 25
145.254.3.59 - 0 41 41 19 21 38 20
ip5886c2fa.static.kabel-deutschland.de - 0 41 41 23 24 47 25
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
Request timed out. - 100 8 0 0 0 0 0
________________________________________________ ______ ______ ______ ______ ______ ______

WinMTR v1.00 GPLv2 (original by Appnor MSP - Fully Managed Hosting & Cloud Provider)


But the last answer

D:\temp>nslookup ip5886c2fa.static.kabel-deutschland.de.
Name: ip5886c2fa.static.kabel-deutschland.de
Address: 88.134.194.250

isn't your ip address 77.22.130.187 80.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.