Server timeout on nginx

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: silkstoneserver.xyz

I ran this command: sudo certbot --nginx -d example.com -d www.example.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for silkstoneserver.xyz
Waiting for verificationā€¦
Cleaning up challenges
Failed authorization procedure. silkstoneserver.xyz (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://silkstoneserver.xyz/.well-known/acme-challenge/SxEztcHUdpp8SeUqc0hux124ggqNZ5IutirjaQzjq_0: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: silkstoneserver.xyz
    Type: connection
    Detail: Fetching
    http://silkstoneserver.xyz/.well-known/acme-challenge/SxEztcHUdpp8SeUqc0hux124ggqNZ5IutirjaQzjq_0:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If youā€™re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    mark@ubuntuserver:/etc/nginx/conf.d$ sudo nano silkstoneserver.xyz.conf
    mark@ubuntuserver:/etc/nginx/conf.d$ sudo nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    mark@ubuntuserver:/etc/nginx/conf.d$ sudo nginx -s reload
    mark@ubuntuserver:/etc/nginx/conf.d$ sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --email xxxxxxxxxxxxxxx -d silkstoneserver.xyz --rsa-key-size 4096
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator nginx, Installer nginx
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for silkstoneserver.xyz
    Waiting for verificationā€¦
    Cleaning up challenges
    Failed authorization procedure. silkstoneserver.xyz (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://silkstoneserver.xyz/.well-known/acme-challenge/L0KkWDcD_tGZ9dgKjrS33GnzVQ30lGYgU0D0soA6oHM: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: silkstoneserver.xyz
    Type: connection
    Detail: Fetching
    http://silkstoneserver.xyz/.well-known/acme-challenge/L0KkWDcD_tGZ9dgKjrS33GnzVQ30lGYgU0D0soA6oHM:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If youā€™re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu server 18.04

My hosting provider, if applicable, is: Dynu.com (dynamic DNS)

I can login to a root shell on my machine (yes or no, or I donā€™t know): yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot): 0.31.0

Hi all,

Iā€™m having difficulty in generating certificates to my site. silkstoneserver.xyz

Iā€™ve put the error above and confirmed that nginx is working correctly by forwarding requests from the domain to services on my local network on different ports.

Iā€™ve done a fair bit of searching, but nothing has helped me to be able to install certificates on nginx. Any help would be greatly appreciated.

2

Can you connect to http://silkstoneserver.xyz/ from outside your LAN? From a different ISP? From a different country?

For me, it times out.

Trying to access https://silkstoneserver.xyz/ gets me a ā€œconnection refusedā€ error ā€“ which probably means that port 443 is not blocked by a firewall.

Are you completely sure that port 80 isnā€™t being blocked by a firewall anywhere on your network, and that the port forwarding settings are correct? Could your ISP be blocking it?

3

I have opened both ports 443 and 80 to my firewall. I am 100% sure the ports arenā€™t blocked.

For example, I can forward port 80, either in Nginx or in my router, to a different service and access that service just fine. I can load a service on port 80 to check, if that helps, but iā€™d rather not do so before I get ssl working.
At the moment, I just have nginx listening on port 80. Itā€™s not redirecting to anything though as I am not running a web server. Iā€™m wanting to set up a reverse proxy to a service hosted on another machine in order to get https.

4

Well, port 80 is still timing out.

The most likely explanations are that you missed a firewall rule, or that your ISP is blocking it.

Edit: I donā€™t know how common it is in Vietnam, but in the US it is fairly common for residential ISPs to block port 80.

5

The problem might also be that your domain occurs on several blacklists : https://mxtoolbox.com/SuperTool.aspx?action=blacklist%3asilkstoneserver.xyz&run=toolpage

This can have consequences for your DNS registry and thus reachability, you should solve that!

6

Iā€™m using a dynamic IP updated with dynudns so thereā€™s no way I can avoid being on some blacklists I think.
Iā€™ll refresh my public IP to see if that works.
Edit - Iā€™ve not been able to get a new IPV4 address, but I have moved my domain to http://silkstone.ddnsfree.com/ in Nginx.

Still no joy

7

Hi @silkstone1

is this - 180.93.161.254 - your current ip?

Only timeouts ( https://check-your-website.server-daten.de/?q=silkstoneserver.xyz ):

Domainname Http-Status redirect Sec. G
ā€¢ http://silkstoneserver.xyz/
180.93.161.254 -14 10.013 T
Timeout - The operation has timed out
ā€¢ http://www.silkstoneserver.xyz/
180.93.161.254 -14 10.014 T
Timeout - The operation has timed out
ā€¢ https://silkstoneserver.xyz/
180.93.161.254 -14 10.017 T
Timeout - The operation has timed out
ā€¢ https://www.silkstoneserver.xyz/
180.93.161.254 -14 10.030 T
Timeout - The operation has timed out

Same checking the raw ip address.

8

I just updated my public IP to 180.93.161.93

Iā€™ve switched addresses in Nginx to silkstone.ddnsfree.com to try that as well, but silkstoneserver.xyz should also redirect to that IP.

the DNS records wonā€™t have propagated for silkstoneserver.xyz yet, but silkstoneserver.ddnsfree.com works. It gives a 404 error as I am not hosting anything until I set up my redirects.

9

Port 80 still times out.

Port 443 is running HTTP (instead of HTTPS). (Not unusual for a partly configured web server.)

10

Port 443 is redirected to 80 at the moment. . .

I can connect via port 80 in edge (404 error), but in chrome, It times out.

Edit - fixed my ports so both respond

11

Port 80 still times out.

(Port 443 is back to ā€œconnection refusedā€, which is reasonable.)

12

What would be causing it to timeout?

I have nginx installed and port 80 forwarded to port 80 on the correct IP

Iā€™ve set a service on port 80 of my public wan address now so you can see it works.

13

It doesn't work, though.

14

Okay. I was sure I connected before, I must have been mistaken. My apologies and thanks for the help.

Let me play with port forwarding on the DDNS service to see if I can get it working that way.

15

DNS and HTTP are totally different protocols. DNS doesn't use TCP port 80.

Also, the DNS query should "end" outside of your network: your server just informs the DDNS service of any new IP address and the zone file, on the network of your DDNS service, gets updated. If anyone tries to go to your website, it gets the IP address - which has nothing to do with port 80 being blocked or not - from the DDNS services DNS server.

After the client gets the IP address, it tries to contact your server on port 80 for HTTP or port 443 for HTTPS on that IP address. This step doesn't have anything to do with you DDNS service. Only with the route between the client and your server directly and anything in between, such as your NAT router, your firewall, a ISP firewall or even a nation wide firewall (China anyone?)

16

Yeah. I see now. I thought that if I redirected silkstoneserver.xyz:80 to my.wan.ip:81, then forward that on my router to port 80, it might work. But alas, letsencrypt detects that iā€™m trying to use it through port 81 and blocks the request.

17

So Iā€™ve determined that my ISP isnā€™t blocking port 80 through canyouseeme.org which indicates that port 80 is open when I enable web server access on WAN on my isp router.

There seems to be some inherent problem on port 80 and requests not being forwarded to my main router.

I am actually double NATed, just with my second router in a DMZ as I cannot get the router that the ISP provided me to act as a ā€˜dumbā€™ device.

18

Thanks for the help. Verifying that it wasnā€™t a problem with how iā€™d installed everything really helped.
I narrowed the problem down and found that port 80 wasnā€™t being forwarded correctly.

Iā€™ve fixed it now and itā€™s all working well.

Quick question - If I want to add SSL to other connections, would I follow the same setup?

Iā€™ve used the guide for Jellyfin so I can access it away from home and it gives a config file.
here: https://jellyfin.readthedocs.io/en/latest/administrator-docs/reverse-proxy/

Can I just add additional conf files with different domain names (and request certificates for each) for this to work, or are there more steps?

Thx again for the help.

19

Iā€™m not sure about setting up Jellyfin, butā€¦

As far as Certbot and Nginx go, to add other domains, all you have to do is run ā€œsudo certbot --nginxā€ with the appropriate options.

Setting up DNS, configuring port forwarding, configuring the web application and Nginx, those are separate steps you also have to complete.

20

Thanks.

So certbox would automagically update the nginx MY_DOMAIN.conf files to force https?

1 Like