Suddenly Timeout during connect (likely firewall problem) for www subdomain

Help
1

Hi, I have a really strange problem. This issue Suddenly appeared last 24 or 48 hours (before all was runing well for the last 18 months!)

My domain is: laresidencia.net

I ran this command: plesk bin extension --exec letsencrypt cli.php -d laresidencia.net -d www.laresidencia.net -m me@domain.tld

It produced this output:

# plesk bin extension --exec letsencrypt cli.php -d laresidencia.net -m me@domain.tld

# plesk bin extension --exec letsencrypt cli.php -d laresidencia.net -d www.laresidencia.net -m me@domain.tld
[2022-04-21 08:45:38.541] 3877622:6260fd928408e ERR [extension/letsencrypt] The execution of cli.php has failed with the following message:
[2022-04-21 08:45:38.528] 3877624:6260fd82a7081 ERR [extension/letsencrypt] Domain validation failed for www.laresidencia.net: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/100274279387.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching http://www.laresidencia.net/.well-known/acme-challenge/mENo2ZDDnaXDr0qRD3rk7ZYB2xQEGNsiCDPo4Tyj9AQ: Timeout during connect (likely firewall problem)
[2022-04-21 08:45:38.531] 3877624:6260fd82a7081 ERR [extension/letsencrypt] Domain validation failed: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/100274279387.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching http://www.laresidencia.net/.well-known/acme-challenge/mENo2ZDDnaXDr0qRD3rk7ZYB2xQEGNsiCDPo4Tyj9AQ: Timeout during connect (likely firewall problem)
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/100274279387.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching http://www.laresidencia.net/.well-known/acme-challenge/mENo2ZDDnaXDr0qRD3rk7ZYB2xQEGNsiCDPo4Tyj9AQ: Timeout during connect (likely firewall problem)
The execution of cli.php has failed with the following message:
[2022-04-21 08:45:38.528] 3877624:6260fd82a7081 ERR [extension/letsencrypt] Domain validation failed for www.laresidencia.net: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/100274279387.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching http://www.laresidencia.net/.well-known/acme-challenge/mENo2ZDDnaXDr0qRD3rk7ZYB2xQEGNsiCDPo4Tyj9AQ: Timeout during connect (likely firewall problem)
[2022-04-21 08:45:38.531] 3877624:6260fd82a7081 ERR [extension/letsencrypt] Domain validation failed: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/100274279387.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching http://www.laresidencia.net/.well-known/acme-challenge/mENo2ZDDnaXDr0qRD3rk7ZYB2xQEGNsiCDPo4Tyj9AQ: Timeout during connect (likely firewall problem)
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/100274279387.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching http://www.laresidencia.net/.well-known/acme-challenge/mENo2ZDDnaXDr0qRD3rk7ZYB2xQEGNsiCDPo4Tyj9AQ: Timeout during connect (likely firewall problem)

exit status 1

As you can see, the first command without de www subdomain, worked! but when I add the www failt.

My web server is: Apache 2.4.41

The operating system my web server runs on is (include version): ubuntu 20.04

My hosting provider, if applicable, is: IONOS

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: Plesk obsidian

The version of my client is: I'm using the latest plesk SSL IT! extension

Nmap port 80 and 443 tests (tested from another machine, not the hosting server)...

# nmap -P 80 laresidencia.net
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-21 08:27 CEST
Nmap done: 2 IP addresses (0 hosts up) scanned in 2.17 seconds
root@oismarclinux:/home/m_serra# nmap -p 80 laresidencia.net
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-21 08:27 CEST
Nmap scan report for laresidencia.net (212.227.149.7)
Host is up (0.020s latency).
rDNS record for 212.227.149.7: webolot.com

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

# nmap -p 80 www.laresidencia.net
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-21 08:27 CEST
Nmap scan report for www.laresidencia.net (212.227.149.7)
Host is up (0.020s latency).
rDNS record for 212.227.149.7: webolot.com

PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds

# nmap -p 443 www.laresidencia.net
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-21 08:27 CEST
Nmap scan report for www.laresidencia.net (212.227.149.7)
Host is up (0.020s latency).
rDNS record for 212.227.149.7: webolot.com

PORT    STATE SERVICE
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

# nmap -p 443 laresidencia.net
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-21 08:27 CEST
Nmap scan report for laresidencia.net (212.227.149.7)
Host is up (0.020s latency).
rDNS record for 212.227.149.7: webolot.com

PORT    STATE SERVICE
443/tcp open  https

DNS test (tested from another machine, not the hosting server) ...

# dig +short NS laresidencia.net
ns1045.ui-dns.de.
ns1045.ui-dns.com.
ns1045.ui-dns.biz.
ns1045.ui-dns.org.

# dig +short www.laresidencia.net
212.227.149.7

# dig +short laresidencia.net
212.227.149.7

The same happens with some other domains, for example: ecarta.cat and delitgastronomic.cat, ...

This server has a UFW (disabled now) and a Firewall at hosting provider level (IONOS) with the ports 80 and 443 open and unfiltered.

I tried to change the www DNS record from A to CNAME, with the same results.

I tried to change the www DNS record from www to *, with the same results.

I'm really lost!

1 Like
2

Looks like there is some type of GeoLocation blocking going on:
See: Let's Debug (letsdebug.net)

3 Likes
3

@rg305 I see your Let's Debug test failing but it is working now.

I see they issued a cert with both names in it. But, oddly, much earlier today. By my calcs about 2H after their initial post. Hmmm
https://tools.letsdebug.net/cert-search?m=domain&q=laresidencia.net&d=168

4 Likes
4

Maybe it only blocks some of the IPs some of the times - LOL

4 Likes
5

I am getting good results now:
Cert is good till Wed, 20 Jul 2022 05:57:14 GMT
Thought Id mention it.

5 Likes
6

Thank's for all your replies.

I see they issued a cert with both names in it. But, oddly, much earlier today. By my calcs about 2H after their initial post. Hmmm

and

I am getting good results now:
Cert is good till Wed, 20 Jul 2022 05:57:14 GMT
Thought Id mention it.

That's true. After a few tries (without change anything) the certificate for www has renewed correctly. Why?! I don't know.

Today, a new domain has the same problem: aniolmangas.com

As you can see, the domain succefully renewed but no www. crt.sh | aniolmangas.com

For your information, I had another server with the same setup and 2 days ago we have the same problem with manxaindustrial.com. But like laresidencia.net, after a few retries we succefully renewed for www.

What can I do? Thank's!

2 Likes
7

Your explanation is very helpful but is unusual. I do not know Plesk very well. Does it auto-configure your Apache server too or do you configure that by hand?

Have you tried using the Plesk interactive panel to get the certs? Does it fail the same way as your command line method?

4 Likes
8

Thank's for your answer Mike,

Before try with the command line, I was already tried with the plesk panel (as usual) with the same result...

image

The base domain cert is renewed ok but no the www subdomain

Before post here, I searched a lot in plesk forums and KB, some people said the (similar) problem goes unchecking the Redirect from http to https option, but no in my case.

4 Likes
9

We can look at your Apache conf but if Plesk manages that it would not help to adjust it manually.

As a test, did you try getting a cert for just the www domain. I am curious if it has to do with multiple domains in same cert (which is normally fine) or related to the www itself.

In your IONOS setup is there any optional firewall / security settings that relate to "ddos" protection or "smart security"? Let's Encrypt will make several identical request from different places around the world so is sometimes confused for an attack and blocked by such a firewall.

4 Likes
10

Hi Mike, and thank's for answer.

If I try to get a cert for just the www domain, I have the same result...

# plesk bin extension --exec letsencrypt cli.php -d www.candanes.com -m mserrafontfreda@gmail.com                                                                   
[2022-04-25 08:35:33.152] 315615:626641352515f ERR [extension/letsencrypt] The execution of cli.php has failed with the following message:
[2022-04-25 08:35:33.139] 315617:6266412706cbc ERR [extension/letsencrypt] Domain validation failed for www.candanes.com: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/101866345467.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: 212.227.149.7: Fetching http://www.candanes.com/.well-known/acme-challenge/ew3A2sFXVQUNS2q9_btXOYI0JFAOXeC-708can5dZpw: Timeout during connect (likely firewall problem)
[2022-04-25 08:35:33.141] 315617:6266412706cbc ERR [extension/letsencrypt] Domain validation failed: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/101866345467.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: 212.227.149.7: Fetching http://www.candanes.com/.well-known/acme-challenge/ew3A2sFXVQUNS2q9_btXOYI0JFAOXeC-708can5dZpw: Timeout during connect (likely firewall problem)
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/101866345467.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: 212.227.149.7: Fetching http://www.candanes.com/.well-known/acme-challenge/ew3A2sFXVQUNS2q9_btXOYI0JFAOXeC-708can5dZpw: Timeout during connect (likely firewall problem)
The execution of cli.php has failed with the following message:
[2022-04-25 08:35:33.139] 315617:6266412706cbc ERR [extension/letsencrypt] Domain validation failed for www.candanes.com: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/101866345467.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: 212.227.149.7: Fetching http://www.candanes.com/.well-known/acme-challenge/ew3A2sFXVQUNS2q9_btXOYI0JFAOXeC-708can5dZpw: Timeout during connect (likely firewall problem)
[2022-04-25 08:35:33.141] 315617:6266412706cbc ERR [extension/letsencrypt] Domain validation failed: Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/101866345467.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: 212.227.149.7: Fetching http://www.candanes.com/.well-known/acme-challenge/ew3A2sFXVQUNS2q9_btXOYI0JFAOXeC-708can5dZpw: Timeout during connect (likely firewall problem)
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/101866345467.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: 212.227.149.7: Fetching http://www.candanes.com/.well-known/acme-challenge/ew3A2sFXVQUNS2q9_btXOYI0JFAOXeC-708can5dZpw: Timeout during connect (likely firewall problem)

exit status 1

No, I think there is not an additional protection.

If you need something from my server (apache config, logs, etc) tell me please.

For your information, this weekend, four new domains have problems renewing the www subdomain ...
www.pirenaic.fr
www.pirenaic.com
www.candanes.com
www.tiars.cat

1 Like
11

I cannot reproduce any of that from Italy.

There probably is a firewall you have yet to discover. If it's not yours it's probably your ISP's.

1 Like
12

Hello,

We are having the same type of issue since the last thursday and our ISP is the same: Arsys (IONOS)(Spain).

The error is:
"Timeout during connect (likely firewall problem) for www subdomain"

We can renew the raw domain but no the "www.". Ports 80 and 443 are accesible from inside/outside server and we don't have ipv6 records.

When the error ocurs, we can access to the "Fetching" error url of our domains quickly and without any problem from inside and outside server. We tried access to those urls with the typical pages that try access to a url from different countries and we didn't see problems either. The domain access via https://letsdebug.net/ were ok in all cases.

We have 8 servers with Windows Server 2016 + Plesk 18.0.43 + Lets Encrypt 3.0.0-785 and we are having the same issue in all servers since the same day.

We contacted with the ISP and they are investigating it because it could be some type of ip block or some problem related at ISP level.

1 Like
13

Thank's for your answer Wolfix, (mal de muchos, consuelo de tontos :sweat_smile:)

If you have news about the issue, can you update this post please?

Can I do something to help?

1 Like
14

Yes, I will post any news. :slightly_smiling_face:

I don't know if you reported it to IONOS but them maybe could have more clues with our two issues over the table.

Thank you! :grinning:

1 Like
15

Hi!

I'm having the same problem (exactly the same problem) with ARSYS. I reported a ticket and waiting for anwser.

16

Thanks pepelucai,

A few years ago, Ionos bought Arsys: La compañía alemana 1&1 compra la española Arsys por 140 millones | Tecnología | EL PAÍS

Ionos (1and1) and arsys are the same

1 Like
17

Yes. Same company.

They answered that there are more clients with same problem and asked me for result of command tcptraceroute.

No more answers for now.

1 Like
18

I don't know if this information will be relevant for the gurus in this forum, but, I try ...

After insisting with IONOS Spain, I have been asked for the result of executing the command mtr

And there is something strange with some of the let's encrypt servers.

I have two servers. And the mtr result is different in each server. Look...

Server 1:

cat acme-staging.api.letsencrypt.org.txt 
Start: 2022-04-27T08:54:35+0200
HOST: distracted-albattani.82-223 Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- distracted-albattani.82-2  0.0%    10    0.0   0.0   0.0   0.1   0.0

cat acme-staging-v02.api.letsencrypt.org.txt 
Start: 2022-04-27T08:49:43+0200
HOST: distracted-albattani.82-223 Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 10.255.255.2               0.0%    10    0.2   0.2   0.1   0.3   0.1
  2.|-- 82.223.41.138              0.0%    10    0.5   0.6   0.4   0.8   0.1
  3.|-- ae-6.bb-a.mad2.mad.es.net  0.0%    10    8.2   8.2   7.9   8.4   0.2
  4.|-- cloudflare.alta.espanix.n  0.0%    10    8.8  15.5   8.5  39.6  11.3
  5.|-- 172.70.58.2                0.0%    10   21.1  10.3   8.2  21.1   4.1
  6.|-- 172.65.46.172              0.0%    10    8.3   8.2   8.1   8.3   0.1

cat acme-v01.api.letsencrypt.org.txt 
Start: 2022-04-27T08:48:58+0200
HOST: distracted-albattani.82-223 Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- distracted-albattani.82-2  0.0%    10    0.0   0.0   0.0   0.1   0.0

cat acme-v02.api.letsencrypt.org.txt 
Start: 2022-04-27T08:48:34+0200
HOST: distracted-albattani.82-223 Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 10.255.255.2               0.0%    10    0.3   0.2   0.1   0.5   0.1
  2.|-- 82.223.41.137              0.0%    10    0.5   0.6   0.5   0.7   0.1
  3.|-- ae-6.bb-b.epx.mad.es.net.  0.0%    10    7.5   7.5   7.0   8.1   0.3
  4.|-- ae-8.bb-a.mad2.mad.es.one  0.0%    10    7.1   7.3   7.1   7.6   0.2
  5.|-- cloudflare.alta.espanix.n  0.0%    10    7.7  13.1   7.7  32.4   9.2
  6.|-- 188.114.108.7              0.0%    10    7.5   7.7   7.5   7.8   0.1
  7.|-- 172.65.32.248              0.0%    10    7.0   7.1   6.9   7.3   0.2

Server 2

$ cat acme-staging.api.letsencrypt.org.txt
Start: 2022-04-27T08:45:25+0200
HOST: webolot.com                 Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 10.255.255.2               0.0%    10    0.2   0.1   0.1   0.3   0.1
  2.|-- 82.223.41.138              0.0%    10    0.4   0.5   0.4   0.7   0.1
  3.|-- ae-6.bb-a.mad2.mad.es.net  0.0%    10    8.1   8.0   7.9   8.1   0.1
  4.|-- mad-b3-link.ip.twelve99.n 70.0%    10    8.2   8.2   8.0   8.3   0.1
  5.|-- mad-b2-link.ip.twelve99.n  0.0%    10    8.4   8.5   8.3   8.8   0.2
  6.|-- prs-bb2-link.ip.twelve99.  0.0%    10  106.3 106.0 105.9 106.3   0.1
  7.|-- rest-bb1-link.ip.twelve99  0.0%    10  105.8 106.6 105.8 111.8   1.9
  8.|-- ash-b2-link.ip.twelve99.n  0.0%    10  105.9 106.0 105.8 106.3   0.1
  9.|-- vadata-ic333119-ash-b2.ip  0.0%    10  106.5 110.2 105.6 127.9   6.9
 10.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0
 11.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0
 12.|-- 52.93.28.78                0.0%    10  120.9 121.1 118.4 135.3   5.2
 13.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0

$ cat acme-staging-v02.api.letsencrypt.org.txt
Start: 2022-04-27T08:46:01+0200
HOST: webolot.com                 Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 10.255.255.2               0.0%    10    0.1   0.1   0.1   0.2   0.0
  2.|-- 82.223.41.137              0.0%    10    0.6   0.6   0.4   1.3   0.3
  3.|-- ae-6.bb-b.epx.mad.es.net.  0.0%    10    7.1   7.3   6.9   7.8   0.3
  4.|-- ae-8.bb-a.mad2.mad.es.one  0.0%    10    7.0   7.1   7.0   7.2   0.1
  5.|-- cloudflare.alta.espanix.n  0.0%    10   14.9  10.9   7.5  23.6   5.5
  6.|-- 172.70.58.2                0.0%    10    7.8   7.8   7.1   9.7   0.7
  7.|-- 172.65.46.172              0.0%    10    7.1   7.1   7.0   7.1   0.0

$ cat acme-v01.api.letsencrypt.org.txt
Start: 2022-04-27T08:44:43+0200
HOST: webolot.com                 Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 10.255.255.2               0.0%    10    0.1   0.1   0.1   0.1   0.0
  2.|-- 82.223.41.138              0.0%    10    0.6   0.5   0.4   0.6   0.1
  3.|-- ae-6.bb-a.mad2.mad.es.net  0.0%    10    8.0   8.0   7.8   8.1   0.1
  4.|-- mad-b3-link.ip.twelve99.n 70.0%    10    8.5   8.4   8.2   8.5   0.2
  5.|-- mad-b2-link.ip.twelve99.n  0.0%    10    8.7   8.7   8.4   9.7   0.4
  6.|-- prs-bb2-link.ip.twelve99.  0.0%    10  105.8 106.0 105.8 106.2   0.1
  7.|-- rest-bb1-link.ip.twelve99  0.0%    10  106.3 106.1 106.0 106.3   0.1
  8.|-- ash-b2-link.ip.twelve99.n  0.0%    10  106.0 106.0 105.7 106.2   0.1
  9.|-- vadata-ic333119-ash-b2.ip  0.0%    10  105.8 106.8 105.7 111.4   1.8
 10.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0
 11.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0
 12.|-- 52.93.28.78                0.0%    10  118.8 119.4 118.4 125.9   2.3
 13.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0

$ cat acme-v02.api.letsencrypt.org.txt
Start: 2022-04-27T08:45:03+0200
HOST: webolot.com                 Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 10.255.255.2               0.0%    10    0.1   0.1   0.1   0.1   0.0
  2.|-- 82.223.41.138              0.0%    10    0.5   0.5   0.4   0.7   0.1
  3.|-- ae-6.bb-b.epx.mad.es.net.  0.0%    10    6.6   6.4   6.2   6.8   0.2
  4.|-- ae-8.bb-a.mad2.mad.es.one  0.0%    10    7.0   7.1   6.9   7.3   0.1
  5.|-- cloudflare.alta.espanix.n  0.0%    10    7.9  10.2   7.5  16.8   3.3
  6.|-- 172.70.60.2                0.0%    10    7.4   7.9   7.1   9.6   0.7
  7.|-- 172.65.32.248              0.0%    10    7.1   7.1   7.0   7.2   0.1
19

Same issue over here. Identical environment: IONOS, Plesk Obsidian, SSL It! extension, spanish client and partially renewed certificate (main domain renewed and www subdomain failed).

It's not a final solution, but I finally found a partial one to get the renewal while this issue is completely solved. From Plesk panel:

  1. Go to the subscription.
  2. SSL/TLS Certificates.
  3. Deactivate the "Redirect from http to https" option.
  4. Reissue the certificate.
  5. Activate the http to https redirect.

Redirect

1 Like
20

Thank's for your message FEJIDIF, but don't work for me :sob:

1 Like