Strange problem renewing, claiming firewall issue

shadowenthegrey · April 1, 2024, 8:39am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
camera.ttsh.dk

I ran this command:
certbot renew

It produced this output:
Domain: camera.ttsh.dk
Type: connection
Detail: 46.32.37.185: Fetching
http://camera.ttsh.dk/.well-known/acme-challenge/PJqcO39KaG5AQNGnwpaip3tyLq3q_-RHu4Wz1SeihoM:
Timeout during connect (likely firewall problem)

My web server is (include version):
apache 2.4.56

The operating system my web server runs on is (include version):
Raspbian GNU/Linux 11 (bullseye)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

Additional data :
on target:
$ echo hi > .well-known/acme-challenge/b

executed from microsoft azure
$ curl http://vejen-karate.dk/.well-known/acme-challenge/b
hi
executed from local - loopback
$ curl http://vejen-karate.dk/.well-known/acme-challenge/b
hi

Certbot reports
Domain: camera.ttsh.dk
Type: connection
Detail: 46.32.37.185: Fetching
http://camera.ttsh.dk/.well-known/acme-challenge/PJqcO39KaG5AQNGnwpaip3tyLq3q_-RHu4Wz1SeihoM:
Timeout during connect (likely firewall problem)

Does nto seem to be a local http problem.

Any ideas on what to do ?

rg305 · April 1, 2024, 2:50pm

Start by ensuring that nothing is blocking the inbound HTTP requests.

JamesLE · April 1, 2024, 5:41pm

2 posts were split to a new topic: Timeout during connect (likely firewall problem)

shadowenthegrey · April 1, 2024, 8:26pm

If you read the report, i have already validated that the http port is open and working, from a vps in azure cloud, and the local firwalls.

shadowenthegrey · April 1, 2024, 8:28pm

I have also validated the dns records are working.

MikeMcQ · April 1, 2024, 8:42pm

Is that "/b" record still there with "hi" as the contents? Because I don't see it.

Also your tests used your vejen-karate.dk domain but your cert request is for camera.ttsh.dk

Right now both get responses from an Apache server 2.4.56. But, is the configuration in Apache identical for both? A better test would be to use the same domain name.

I can't reproduce the timeout problem using Let's Debug. Are you still seeing the timeout error? Because sometimes temp comms problems can cause that too.

rg305 · April 1, 2024, 10:17pm

I can't either.
I suspect it has something to do with rate limiting / IPS defenses.

shadowenthegrey · April 5, 2024, 12:09pm

I have around 41 domains.

all of them share the same .well-known folder, so it is idencally handledt.

The url of b and a has changed, because the acme-challenge folder is deleted by certbot after running.

I have created another pair of files, that can be reached a directory higher.
$ curl http://vejen-karate.dk/.well-known/a
test
test
$ curl http://vejen-karate.dk/.well-known/b
hi

A sample of other domains.
http://www.ttsh.dk/.well-known/a
http://www.ttsh.dk/.well-known/b
http://camera.ttsh.dk/.well-known//a
http://vejen-karate.dk/.well-known//a

e.g.
Domain: vejen-karate.dk
Type: connection
Detail: 46.32.37.185: Fetching http://vejen-karate.dk/.well-known/acme-challenge/oD83q_5KZClh1R5oVPFwVYa4a_FSFefUthrJ-CCLp9Y: Timeout during connect (likely firewall problem)

None of those domains seem to validate

shadowenthegrey · April 5, 2024, 12:10pm

I just ran the script again, to update.

snippet of the logs..

Domain: www.roedding-karate.dk
Type: connection
Detail: 46.32.37.185: Fetching
http://www.roedding-karate.dk/.well-known/acme-challenge/uelB0DXmvYgm7ii48DhbvFr-97erodNDmjBwQx2AzzE:
Timeout during connect (likely firewall problem)

Domain: www.thetroubleshooters.dk
Type: connection
Detail: During secondary validation: 46.32.37.185: Fetching
http://www.thetroubleshooters.dk/.well-known/acme-challenge/qVJLP0HSji6v_tSAPkGV6UNobYP8jx4x96l01wLL-G4:
Timeout during connect (likely firewall problem)

Domain: www.ttsh.dk
Type: connection
Detail: 46.32.37.185: Fetching
http://www.ttsh.dk/.well-known/acme-challenge/H6ImKOJhdmm2pjr2kL4rftFKw_qcCF2qPBmCey3opwg:
Timeout during connect (likely firewall problem)

shadowenthegrey · April 5, 2024, 12:16pm

Turns out that my firewall has had an update that changes it's DDOS protection settings, and now apparently it considers the polling of the http port, as a DDOS attack.

Thanks for looking at the problem.

Problem was found by running very fast parallel queries from a microsoft azure vps. Just odd it doesn't seem to affect websites..