Port 80 is open but timeout (Error 400)

white-rabbit07 · March 29, 2018, 1:59pm

Hi.
I installed dehydrated on an internal server. It’s behind a firewall but I opened port 80 and set a CNAME (DDNS) on our vServer (with PLESK). The Plesk-Server is
(www.)example.org and the internal server is server.intern.example.org.

This internal server can be reached via port 80. When I call
http://server.intern.example.org/.well-known/acme-challenge/ I can access an index.html and the token will be generated correctly. So the directory is writeable!

But when I try “dehydrated --cron” I get this:

dehydrated --cron
# INFO: Using main config file /etc/dehydrated/config
Processing server.intern.example.org
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for server.intern.example.org...
 + Hook: Nothing to do...
 + Responding to challenge for server.intern.example.org...
 + Hook: Nothing to do...
 + Hook: Nothing to do...
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Fetching http://server.intern.example.org/.well-known/acme-challenge/mbskngekürztO3yk: Timeout",
    "status": 400
  },
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Q1gbjgekürzt920524828",
  "token": "mbsknIOgekürzt29U3yk",
  "keyAuthorization": "mbskgekürzt29U3yk.9MqbIWBPjs",
  "validationRecord": [
    {
      "url": "http://server.intern.example.org/.well-known/acme-challenge/mgekürzt9U3yk",
      "hostname": "server.intern.example.org",
      "port": "80",
      "addressesResolved": [
        "178.xxx.yyy.zzz"
      ],
      "addressUsed": "178.xxx.yyy.zzz"
    }
  ]
})

I have no idea what to do. IPv6 is not activated – so the fallback to IPv4 should work.
Any hints what to do?
Thanks.

bytecamp · March 29, 2018, 2:16pm

Please show the affected domain name.

white-rabbit07 · March 29, 2018, 2:26pm

Maybe better via PM? Will send it to you …

jared.m · March 29, 2018, 3:11pm

It’s going to end up in the publicly available certificate transparency logs once you issue a certificate anyway, you’re only severely limiting the community’s ability to help you by withholding this, not increasing secrecy.

stevenzhu · March 29, 2018, 4:31pm

Hi, @white-rabbit07

What do you mean by ipv6 is not activated?

Is that means ipv6 is present in records but not accessible? (If so, you need to remove the IPV6 since LE doesn’t accept fallback)

Thank you

jared.m · March 29, 2018, 6:38pm

@white-rabbit07 - The DNS setup looks ok to me, but I’m having the same issue as Let’s Encrypt. When I attempt to connect to your server on port 80, the connection attempt times out. Do you have some sort of IP whitelisting set up? Have you verified that this is accessible over the public internet?

@stevenzhu - There’s no AAAA records for this domain, so nothing to worry about there. Also, while this isn’t relevant here, removing AAAA records is not always the solution. Ideally, in this instance, fixing the server to listen on IPv6 is preferable.

white-rabbit07 · March 29, 2018, 6:44pm

@jared.m That’s strange – I don’t have any issues when I try to connect to that server. It works without any timeout or delay. But maybe the Firewall (IPFire) blocks “some” IPs via GeoIP? Which countries do I have to allow in that case?

schoen · March 29, 2018, 6:52pm

For using this method, you're expected to allow connections from all IP addresses. The policy is that the Let's Encrypt validation servers may change unpredictably at any time.

jared.m · March 29, 2018, 6:55pm

On top of that, I’m connecting from the US.

white-rabbit07 · March 29, 2018, 7:06pm

Ok, I changed the GeoIP-Block … and … IT WORKS! Great!
Thank you very much. I didn’t expect the solution at this point as the access from any device always worked.
But finally: Success!

system · April 28, 2018, 7:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.