Port 80 open, no certificate ( Timeout during connect (likely firewall problem))

Hi all, I am new in security issues, so forgive me for the question! I have an apache server with the port 80 open, if I curl the url it returns the correct html content. The “certbot --apache” procedure ends in an error and I am not able to figure out the problem.

My domain is: bo.cnr.it

I ran this command: certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel): datavm.bo.cnr.it
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for datavm.bo.cnr.it
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. datavm.bo.cnr.it (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://datavm.bo.cnr.it/.well-known/acme-challenge/kyAFqHhXOuOHK9y62YZDDaz8PNHljAwYXFVWMyceE6A: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: datavm.bo.cnr.it
    Type: connection
    Detail: Fetching
    http://datavm.bo.cnr.it/.well-known/acme-challenge/kyAFqHhXOuOHK9y62YZDDaz8PNHljAwYXFVWMyceE6A:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): datavm.bo.cnr.it

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

1 Like

Hi @AlessioGiberti

there is a check of your domain, created yesterday - https://check-your-website.server-daten.de/?q=datavm.bo.cnr.it (I’ve started the current check).

Same image: Only timeouts:

Domainname Http-Status redirect Sec. G
http://datavm.bo.cnr.it/ 192.167.183.18 -14 10.023 T
Timeout - The operation has timed out
https://datavm.bo.cnr.it/ 192.167.183.18 -14 10.033 T
Timeout - The operation has timed out
http://datavm.bo.cnr.it/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 192.167.183.18 -14 10.023 T
Timeout - The operation has timed out
Visible Content:
https://192.167.183.18/ 192.167.183.18 -14 10.026 T
Timeout - The operation has timed out

Your ip answers via Ping.

Works yor webserver internal?

curl http://datavm.bo.cnr.it/

from that machine?

If yes, it’s a firewall / routing problem.

2 Likes

Hi Juergen and thanks for your reply.
Yes, I can curl from that machine. So it is a firewall / routing problem. Below I paste the result of port scanning.

root@datavm:/home/alessio# lsof -i -P |grep LISTEN
sshd 523 root 3u IPv4 25654 0t0 TCP *:22 (LISTEN)
sshd 523 root 4u IPv6 25656 0t0 TCP *:22 (LISTEN)
exim4 1053 Debian-exim 3u IPv4 18494 0t0 TCP localhost:25 (LISTEN)
exim4 1053 Debian-exim 4u IPv6 18495 0t0 TCP localhost:25 (LISTEN)
grafana-s 1824 grafana 12u IPv6 21207 0t0 TCP *:3000 (LISTEN)
apache2 8905 root 4u IPv6 2774194 0t0 TCP *:80 (LISTEN)
apache2 9394 www-data 4u IPv6 2774194 0t0 TCP *:80 (LISTEN)
apache2 9395 www-data 4u IPv6 2774194 0t0 TCP *:80 (LISTEN)
apache2 9396 www-data 4u IPv6 2774194 0t0 TCP *:80 (LISTEN)
influxd 20549 influxdb 3u IPv4 2359533 0t0 TCP localhost:8088 (LISTEN)
influxd 20549 influxdb 44u IPv6 2367433 0t0 TCP *:8086 (LISTEN)
cupsd 29572 root 9u IPv6 2549111 0t0 TCP localhost:631 (LISTEN)
cupsd 29572 root 10u IPv4 2549112 0t0 TCP localhost:631 (LISTEN)

2 Likes

The firewall status:

root@datavm:/home/alessio# ufw status
Status: active

To Action From


443 ALLOW Anywhere
80 ALLOW Anywhere
22/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
443 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)

1 Like

See your Portchecks - https://check-your-website.server-daten.de/?q=datavm.bo.cnr.it#portchecks

datavm.bo.cnr.it
22
SSH
open
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u7

answers, you must have something, that blocks.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.