Suddenly Timeout during connect (likely firewall problem) for www subdomain

FYI: I was able to fix the last two errors renewing www subdomains only doing this steps:

  1. renaming .htaccess to .htaccess_tmp
  2. renew base domain and www subdomain as usual
  3. renaming .htaccess_tmp to .htaccess

What's inside that .htaccess?

2 Likes

Nothing strange (I think) ...

# cat .htaccess  

# BEGIN WordPress
# Las directivas (líneas) entre `BEGIN WordPress` y `END WordPress` se generan dinámicamente
# , y solo se deberían modificar mediante filtros de WordPress.
# Cualquier cambio en las directivas que hay entre esos marcadores se sobreescribirán.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Sorry (I'm not the site developer), I thought both domains had the same content in the file (two wordpress sites), but no.

The other one it's a little bit more complex, but nothing strange for me too ...

# BEGIN WordPress
# Les directives (línies) entre "BEGIN WordPress" i "END WordPress" es generen dinàmicament i haurien de ser solament modificades mitjançant els filtres del WordPress.
# Qualsevol canvi entre aquestes marques se sobreescriuran.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress
# BEGIN HTML5 Boilerplate
# Les directives (línies) entre `BEGIN HTML5 Boilerplate` i `END HTML5 Boilerplate` es generen dinàmicament i haurien de ser solament modificades mitjançant els filtres del WordPress.
# Qualsevol canvi entre aquestes marques se sobreescriuran.
<IfModule mod_setenvif.c>
                <IfModule mod_headers.c>
                                <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
                                                SetEnvIf Origin ":" IS_CORS
                                                Header set Access-Control-Allow-Origin "*" env=IS_CORS
                                </FilesMatch>
                </IfModule>
</IfModule>

<IfModule mod_headers.c>
                <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
                                Header set Access-Control-Allow-Origin "*"
                </FilesMatch>
</IfModule>

<IfModule mod_headers.c>
                Header set X-UA-Compatible "IE=edge"
                # `mod_headers` cannot match based on the content-type, however,
                # the `X-UA-Compatible` response header should be send only for
                # HTML documents and not for the other resources.
                <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
                                Header unset X-UA-Compatible
                </FilesMatch>
</IfModule>

<IfModule mod_mime.c>
        # Data interchange
                AddType application/atom+xml                        atom
                AddType application/json                            json map topojson
                AddType application/ld+json                         jsonld
                AddType application/rss+xml                         rss
                AddType application/vnd.geo+json                    geojson
                AddType application/xml                             rdf xml
        # JavaScript
                # Normalize to standard type.
                # https://tools.ietf.org/html/rfc4329#section-7.2
                AddType application/javascript                      js
        # Manifest files
                AddType application/manifest+json                   webmanifest
                AddType application/x-web-app-manifest+json         webapp
                AddType text/cache-manifest                         appcache
        # Media files
                AddType audio/mp4                                   f4a f4b m4a
                AddType audio/ogg                                   oga ogg opus
                AddType image/bmp                                   bmp
                AddType image/svg+xml                               svg svgz
                AddType image/webp                                  webp
                AddType video/mp4                                   f4v f4p m4v mp4
                AddType video/ogg                                   ogv
                AddType video/webm                                  webm
                AddType video/x-flv                                 flv
                # Serving `.ico` image files with a different media type
                # prevents Internet Explorer from displaying then as images:
                # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
                AddType image/x-icon                                cur ico
        # Web fonts
                AddType application/font-woff                       woff
                AddType application/font-woff2                      woff2
                AddType application/vnd.ms-fontobject               eot
                # Browsers usually ignore the font media types and simply sniff
                # the bytes to figure out the font type.
                # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern
                #
                # However, Blink and WebKit based browsers will show a warning
                # in the console if the following font types are served with any
                # other media types.
                AddType application/x-font-ttf                      ttc ttf
                AddType font/opentype                               otf
        # Other
                AddType application/octet-stream                    safariextz
                AddType application/x-bb-appworld                   bbaw
                AddType application/x-chrome-extension              crx
                AddType application/x-opera-extension               oex
                AddType application/x-xpinstall                     xpi
                AddType text/vcard                                  vcard vcf
                AddType text/vnd.rim.location.xloc                  xloc
                AddType text/vtt                                    vtt
                AddType text/x-component                            htc
</IfModule>

AddDefaultCharset utf-8

<IfModule mod_mime.c>
                AddCharset utf-8 .atom \
                .bbaw \
                .css \
                .geojson \
                .js \
                .json \
                .jsonld \
                .manifest \
                .rdf \
                .rss \
                .topojson \
                .vtt \
                .webapp \
                .webmanifest \
                .xloc \
                .xml
</IfModule>

<IfModule mod_rewrite.c>
                # (1)
                RewriteEngine On
                # (2)
                # Options +FollowSymlinks
                # (3)
                # Options +SymLinksIfOwnerMatch
                # (4)
                # RewriteBase /
                # (5)
                # RewriteOptions <options>
                # (6)
                RewriteCond %{HTTPS} =on
                RewriteRule ^ - [env=proto:https]
                RewriteCond %{HTTPS} !=on
                RewriteRule ^ - [env=proto:http]
</IfModule>

<IfModule mod_autoindex.c>
                Options -Indexes
</IfModule>

<IfModule mod_rewrite.c>
                RewriteEngine On
                RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
                RewriteCond %{SCRIPT_FILENAME} -d [OR]
                RewriteCond %{SCRIPT_FILENAME} -f
                RewriteRule "(^|/)\." - [F]
</IfModule>

<FilesMatch "(^#.*#|\.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$">
                # Apache < 2.3
                <IfModule !mod_authz_core.c>
                                Order allow,deny
                                Deny from all
                                Satisfy All
                </IfModule>

                # Apache ≥ 2.3
                <IfModule mod_authz_core.c>
                                Require all denied
                </IfModule>
</FilesMatch>

<IfModule mod_headers.c>
                Header set X-Content-Type-Options "nosniff"
</IfModule>

<IfModule mod_headers.c>
                Header unset X-Powered-By
</IfModule>

ServerSignature Off

<IfModule mod_deflate.c>
                # Force compression for mangled `Accept-Encoding` request headers
                # https://developer.yahoo.com/blogs/ydn/pushing-beyond-gzipping-25601.html
                <IfModule mod_setenvif.c>
                    <IfModule mod_headers.c>
                        SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
                        RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
                    </IfModule>
                </IfModule>
                # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                # Compress all output labeled with one of the following media types.
                #
                # (!) For Apache versions below version 2.3.7 you don't need to
                # enable `mod_filter` and can remove the `<IfModule mod_filter.c>`
                # and `</IfModule>` lines as `AddOutputFilterByType` is still in
                # the core directives.
                #
                # https://httpd.apache.org/docs/current/mod/mod_filter.html#addoutputfilterbytype
                <IfModule mod_filter.c>
                                AddOutputFilterByType DEFLATE "application/atom+xml" \
                                "application/javascript" \
                                "application/json" \
                                "application/ld+json" \
                                "application/manifest+json" \
                                "application/rdf+xml" \
                                "application/rss+xml" \
                                "application/schema+json" \
                                "application/vnd.geo+json" \
                                "application/vnd.ms-fontobject" \
                                "application/x-font-ttf" \
                                "application/x-javascript" \
                                "application/x-web-app-manifest+json" \
                                "application/xhtml+xml" \
                                "application/xml" \
                                "font/eot" \
                                "font/opentype" \
                                "image/bmp" \
                                "image/svg+xml" \
                                "image/vnd.microsoft.icon" \
                                "image/x-icon" \
                                "text/cache-manifest" \
                                "text/css" \
                                "text/html" \
                                "text/javascript" \
                                "text/plain" \
                                "text/vcard" \
                                "text/vnd.rim.location.xloc" \
                                "text/vtt" \
                                "text/x-component" \
                                "text/x-cross-domain-policy" \
                                "text/xml"

                </IfModule>
                # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                # Map the following filename extensions to the specified
                # encoding type in order to make Apache serve the file types
                # with the appropriate `Content-Encoding` response header
                # (do note that this will NOT make Apache compress them!).
                #
                # If these files types would be served without an appropriate
                # `Content-Enable` response header, client applications (e.g.:
                # browsers) wouldn't know that they first need to uncompress
                # the response, and thus, wouldn't be able to understand the
                # content.
                #
                # https://httpd.apache.org/docs/current/mod/mod_mime.html#addencoding
                <IfModule mod_mime.c>
                                AddEncoding gzip              svgz
                </IfModule>
</IfModule>

<IfModule mod_headers.c>
                Header unset ETag
</IfModule>

FileETag None

<IfModule mod_expires.c>
                ExpiresActive on
                ExpiresDefault                                      "access plus 1 month"
        # CSS
                ExpiresByType text/css                              "access plus 1 year"
        # Data interchange
                ExpiresByType application/atom+xml                  "access plus 1 hour"
                ExpiresByType application/rdf+xml                   "access plus 1 hour"
                ExpiresByType application/rss+xml                   "access plus 1 hour"
                ExpiresByType application/json                      "access plus 0 seconds"
                ExpiresByType application/ld+json                   "access plus 0 seconds"
                ExpiresByType application/schema+json               "access plus 0 seconds"
                ExpiresByType application/vnd.geo+json              "access plus 0 seconds"
                ExpiresByType application/xml                       "access plus 0 seconds"
                ExpiresByType text/xml                              "access plus 0 seconds"
        # Favicon (cannot be renamed!) and cursor images
                ExpiresByType image/vnd.microsoft.icon              "access plus 1 week"
                ExpiresByType image/x-icon                          "access plus 1 week"
        # HTML
                ExpiresByType text/html                             "access plus 0 seconds"
        # JavaScript
                ExpiresByType application/javascript                "access plus 1 year"
                ExpiresByType application/x-javascript              "access plus 1 year"
                ExpiresByType text/javascript                       "access plus 1 year"
        # Manifest files
                ExpiresByType application/manifest+json             "access plus 1 week"
                ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
                ExpiresByType text/cache-manifest                   "access plus 0 seconds"
        # Media files
                ExpiresByType audio/ogg                             "access plus 1 month"
                ExpiresByType image/bmp                             "access plus 1 month"
                ExpiresByType image/gif                             "access plus 1 month"
                ExpiresByType image/jpeg                            "access plus 1 month"
                ExpiresByType image/png                             "access plus 1 month"
                ExpiresByType image/svg+xml                         "access plus 1 month"
                ExpiresByType image/webp                            "access plus 1 month"
                ExpiresByType video/mp4                             "access plus 1 month"
                ExpiresByType video/ogg                             "access plus 1 month"
                ExpiresByType video/webm                            "access plus 1 month"
        # Web fonts
                # Embedded OpenType (EOT)
                ExpiresByType application/vnd.ms-fontobject         "access plus 1 month"
                ExpiresByType font/eot                              "access plus 1 month"
                # OpenType
                ExpiresByType font/opentype                         "access plus 1 month"
                # TrueType
                ExpiresByType application/x-font-ttf                "access plus 1 month"
                # Web Open Font Format (WOFF) 1.0
                ExpiresByType application/font-woff                 "access plus 1 month"
                ExpiresByType application/x-font-woff               "access plus 1 month"
                ExpiresByType font/woff                             "access plus 1 month"
                # Web Open Font Format (WOFF) 2.0
                ExpiresByType application/font-woff2                "access plus 1 month"
        # Other
                ExpiresByType text/x-cross-domain-policy            "access plus 1 week"
</IfModule>

<IfModule mod_rewrite.c>
                RewriteRule ^wp-admin/includes/ - [F,L]
                RewriteRule !^wp-includes/ - [S=3]

                RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
                RewriteRule ^wp-includes/theme-compat/ - [F,L]

                RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
                RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
</IfModule>

<FilesMatch "^(wp-config\.php|readme\.html|license\.txt|install\.php)">
                # Apache < 2.3
                <IfModule !mod_authz_core.c>
                                Order allow,deny
                                Deny from all
                                Satisfy All
                </IfModule>
                # Apache ≥ 2.3
                <IfModule mod_authz_core.c>
                                Require all denied
                </IfModule>
</FilesMatch>
# END HTML5 Boilerplate

I am not even sure what this is supposed to do.

1 Like

Do either of the two files "work"?

1 Like

Nothing new here.

I only had one affected server and was finally able to renew the certificate. But obviously, it was luck. I'm dreading the rest of the renewals.

1 Like

Oh! I missed this part. I don't know what does. As I said I'm not the web developer. Seems it's auto generated by some wordpress theme or plugin (# BEGIN HTML5 Boilerplate)

Domain one has the first .htaccess

Domain two has the second .htaccess

The same error occurs on both domains

The error has solved (bypassed) for both domains with the same procedure...

  1. renaming .htaccess to .htaccess_tmp
  2. renew base domain and www subdomain as usual
  3. renaming .htaccess_tmp to .htaccess
1 Like

Today, another domain with the same error, has solved as decribed in my last post.

The .htaccess ...

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
2 Likes

Clearly the .htaccess files are not working as intended.
The one with:

Seems to have come closest (because it at least acknowledged the need to handle the challenge folder), but also fails because it includes multiple sections all dealing with redirections individually and incorrectly.

2 Likes

Forget the .htaccess with

Is what worries me the least

All other .htaccess files does not have a similar line and fails to renew www subdomain

All files fail.
All .htaccess files are bad.

2 Likes

Sorry, but I can't understand you ... Why all .htaccess files are bad?

Because they're a perfect road to an unpredictable mess where people don't even know where their config is.

(And we are used to having full control over the machine, so we like putting our config in /etc/apache2/sites-available/sitename.conf instead of random directories in htdocs.)

2 Likes

Ok, ok, I understand, you are referring to the concept

Yes.

Also: they're specific to Apache. It makes it a lot harder to switch to another webserver, should you want to.

But they have positive sides: on a shared hosting, you can use a .htaccess to hack your way to something, if the AllowOverride directive likes you.

2 Likes

Finally, an answer from my server provider (IONOS) ...

In relation to the problem reported with Let's Encrypt SSL certificates in Plesk, it has been verified that there is no restriction on our part, and that the problem would be on the side of Let's Encrypt and Plesk.

You can find information about the solution in the following articles:

Original...

En relación al problema reportado con los certificados SSL de Let's Encrypt en Plesk, se ha comprobado que no hay ninguna restricción por nuestra parte, y que el problema estaría del lado de Let's Encrypt y Plesk.

En los siguientes artículos puede encontrar información sobre la solución:

https://support.plesk.com/hc/en-us/articles/115004728413-Unable-to-issue-a-Let-s-Encr[…]le-is-either-unreadable-or-does-not-have-the-read-permission

Suddenly Timeout during connect (likely firewall problem) for www subdomain - #25 by mserra

As you can see, they wash their hands and links to this forum :sweat_smile:

2 Likes

Yesterday I could renew without issues the SSL of around 1200 domains that were going to be expire in the next 30 days.

8 servers, same config, no changes.

Did anyone noticed something positive since yesterday?

Thank's Wolfix, and sorry for 2 days delay on answer.

After a few tests seems now it's working again.

As you, same config, no changes.

I'm sure IONOS has solved some connectivity issue.

2 Likes