Problem during secondary verification

I’m trying to host a web server at home. I’m using a cable provider, dedicated IP, link speed is 1Gbps (on paper). Server itself is accessible from the internets, i tried curl’ing it from different datacenters like Hetzner and DigitalOcean, also checked with couple uptime monitors. Tried bombing it with ab = works.

Port forwarding done on mikrotik 2011 router, server is a physical machine with some serious hardware. No firewall entries here and there. Friend using same ISP a couple blocks away has no problems with getting validated.

When i run certbot, i see six connections going through router and six SYN connections to the server (using tcpdump). But nginx gets only primary http request, which goes into access log, others are eaten somewhere, have no ideas. Tried replacing web server with virtual machine installed from scratch, nginx, certbot and nothing else. No ideas (

My domain is:
site4food.com

I ran this command:
letsencrypt certonly --webroot --webroot-map="{“site4food.com”:"/usr/share/nginx/acme"}" --dry-run

It produced this output:

http-01 challenge for site4food.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. site4food.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching http://site4food.com/.well-known/acme-challenge/3uZJChaClV_o6mDhqHkk9506jg5j2TiyWaxKmp9otgk: Timeout during connect (likely firewall problem)

My web server is (include version):
nginx/1.14.0

The operating system my web server runs on is (include version):
Ubuntu 18.04.4

My hosting provider, if applicable, is:
Home server. Dedicated white IP.

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

1 Like

Hi @Disbeleiver

there is your answer. You have a blocking instance, fix that.

The

error is new. Read

So your system allows the primary Letsencrypt servers to access your server. But the secondary validation servers are blocked.

1 Like

Thanks for you reply, yeah, i suspect there may be a problem somewhere in my network, but i’m out of ideas what can produce it. Router is not set up to filter any specific src addresses, server has no firewall whatsoever… Could it be that letsencrypt sends somehow malformed requests due to some bug?

Okay i’ve got ideas and run tshark.

9 0.881370723 66.133.109.36 → 192.168.10.34 TCP 66 58162 → 80 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=465966340 TSecr=1864138187
10 0.881422045 66.133.109.36 → 192.168.10.34 HTTP 331 GET /.well-known/acme-challenge/66nC_wtpI-OwCcH4zzKFxcQo-Xv6gMAbeeRwAsBiY-Y HTTP/1.1
11 0.881445674 192.168.10.34 → 66.133.109.36 TCP 66 80 → 58162 [ACK] Seq=1 Ack=266 Win=64896 Len=0 TSval=1864138393 TSecr=465966341
12 0.881846470 192.168.10.34 → 66.133.109.36 HTTP 408 HTTP/1.1 200 OK
13 1.001605526 52.58.118.98 → 192.168.10.34 TCP 74 [TCP Retransmission] 51634 → 80 [SYN] Seq=0 Win=26883 Len=0 MSS=1460 SACK_PERM=1 TSval=645118382 TSecr=0 WS=128
14 1.001623384 192.168.10.34 → 52.58.118.98 TCP 74 [TCP Retransmission] 80 → 51634 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2416694651 TSecr=645117380 WS=128
15 1.089344615 66.133.109.36 → 192.168.10.34 TCP 66 58162 → 80 [FIN, ACK] Seq=266 Ack=344 Win=30336 Len=0 TSval=465966548 TSecr=1864138393
16 1.089374510 192.168.10.34 → 66.133.109.36 TCP 66 80 → 58162 [ACK] Seq=344 Ack=267 Win=64896 Len=0 TSval=1864138601 TSecr=465966548
17 1.267280526 34.211.60.134 → 192.168.10.34 TCP 74 [TCP Retransmission] 52538 → 80 [SYN] Seq=0 Win=26883 Len=0 MSS=1460 SACK_PERM=1 TSval=548694564 TSecr=0 WS=128
18 1.267378097 192.168.10.34 → 34.211.60.134 TCP 74 [TCP Retransmission] 80 → 52538 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2818131550 TSecr=548693562 WS=128
19 1.488247995 18.224.20.83 → 192.168.10.34 TCP 74 [TCP Retransmission] 55764 → 80 [SYN] Seq=0 Win=26883 Len=0 MSS=1460 SACK_PERM=1 TSval=1742047178 TSecr=0 WS=128
20 1.488289807 192.168.10.34 → 18.224.20.83 TCP 74 [TCP Retransmission] 80 → 55764 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1668179187 TSecr=1742046176 WS=128
21 2.018487448 192.168.10.34 → 52.58.118.98 TCP 74 [TCP Retransmission] 80 → 51634 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2416695668 TSecr=645117380 WS=128
22 2.274327222 192.168.10.34 → 34.211.60.134 TCP 74 [TCP Retransmission] 80 → 52538 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2818132557 TSecr=548693562 WS=128
23 2.498970151 192.168.10.34 → 18.224.20.83 TCP 74 [TCP Retransmission] 80 → 55764 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=1668180197 TSecr=1742046176 WS=128
24 3.003570452 52.58.118.98 → 192.168.10.34 TCP 74 [TCP Retransmission] 51634 → 80 [SYN] Seq=0 Win=26883 Len=0 MSS=1460 SACK_PERM=1 TSval=645120384 TSecr=0 WS=128
25 3.003587806 192.168.10.34 → 52.58.118.98 TCP 74 [TCP Retransmission] 80 → 51634 [SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM=1 TSval=2416696653 TSecr=645117380 WS=128

Looks like packets are lost. Strange that first http query suceeds all the time and secondary ones always fail. And i can ping 34.211.60.134 for example with no losses.

Okay, so i gave up and used other ACME provider. Thanks for help, this thread may be closed now,

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.