The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: (lnx14,fww,kb-chgv,kb-it,kb-md).messe-duesseldorf.de

I ran this command: certbot certonly --dry-run --config /etc/letsencrypt/cli.ini --preferred-challenges http-01 --standalone --domain lnx14.messe-duesseldorf.de,fww.messe-duesseldorf.de,kb-chgv.messe-duesseldorf.de,kb-it.messe-duesseldorf.de,kb-md.messe-duesseldorf.de
Processing…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for lnx14.messe-duesseldorf.de and 4 more domains
The dry run was successful.

And afterwards: certbot certonly --config /etc/letsencrypt/cli.ini --preferred-challenges http-01 --standalone --domain lnx14.messe-duesseldorf.de,fww.messe-duesseldorf.de,kb-chgv.messe-duesseldorf.de,kb-it.messe-duesseldorf.de,kb-md.messe-duesseldorf.de

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for lnx14.messe-duesseldorf.de and 4 more domains
----------------------------------------
Exception occurred during processing of request from ('10.7.2.3', 52771)
Traceback (most recent call last):
  File "/usr/lib64/python3.11/socketserver.py", line 317, in _handle_request_noblock
    self.process_request(request, client_address)
  File "/usr/lib64/python3.11/socketserver.py", line 348, in process_request
    self.finish_request(request, client_address)
  File "/usr/lib64/python3.11/socketserver.py", line 361, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.11/site-packages/acme/standalone.py", line 237, in __init__
    super().__init__(*args, **kwargs)
  File "/usr/lib64/python3.11/socketserver.py", line 755, in __init__
    self.handle()
  File "/usr/lib/python3.11/site-packages/acme/standalone.py", line 262, in handle
    BaseHTTPServer.BaseHTTPRequestHandler.handle(self)
  File "/usr/lib64/python3.11/http/server.py", line 432, in handle
    self.handle_one_request()
  File "/usr/lib64/python3.11/http/server.py", line 420, in handle_one_request
    method()
  File "/usr/lib/python3.11/site-packages/acme/standalone.py", line 270, in do_GET
    self.handle_404()
  File "/usr/lib/python3.11/site-packages/acme/standalone.py", line 283, in handle_404
    self.end_headers()
  File "/usr/lib64/python3.11/http/server.py", line 534, in end_headers
    self.flush_headers()
  File "/usr/lib64/python3.11/http/server.py", line 538, in flush_headers
    self.wfile.write(b"".join(self._headers_buffer))
  File "/usr/lib64/python3.11/socketserver.py", line 834, in write
    self._sock.sendall(b)
ConnectionResetError: [Errno 104] Connection reset by peer
----------------------------------------

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: kb-md.messe-duesseldorf.de
  Type:   connection
  Detail: 194.9.88.92: Fetching http://kb-md.messe-duesseldorf.de/.well-known/acme-challenge/lSeXYhK6-Lp0InNID-IXR_ZfE9reGhg8E6XJOnfXHYs: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): certbot --standalone

The operating system my web server runs on is (include version): openSUSE Tumbleweed

My hosting provider, if applicable, is: on prem

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.31.0

All domains resolve successfully and other multi domain certs have successfully been issued, I'm completely unaware of python and its details and was not able to find something like a timeout value which could be increased. Any hint or help is more than welcome.

It must have been a temporary thing. After creating the topic I tried it again with "-v" et voila:

root@lnx40: letsencrypt;(RC=0) # certbot --versioncertbot --version
Processing…
certbot 1.31.0

root@lnx40: letsencrypt;(RC=0) # certbot certonly -v --config /etc/letsencrypt/cli.ini --preferred-challenges http-01 --standalone --domain lnx14.messe-duesseldorf.de,fww.messe-duesseldorf.de,kb-chgv.messe-duesseldorf.de,kb-it.messe-duesseldorf.de,kb-md.messe-duesseldorf.de
Processing…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for lnx14.messe-duesseldorf.de and 4 more domains
Performing the following challenges:
http-01 challenge for kb-md.messe-duesseldorf.de
Waiting for verification...
Cleaning up challenges

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/lnx14.messe-duesseldorf.de/fullchain.pem
Key is saved at: /etc/letsencrypt/live/lnx14.messe-duesseldorf.de/privkey.pem
This certificate expires on 2023-07-16.
These files will be updated when the certificate renews.

NEXT STEPS:

  • The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See User Guide — Certbot 2.5.0 documentation for instructions.

But one question remains: Is there any timeout value which could help to avoid such a situation?

For Let's Encrypt, you basically need to respond to the TCP connection and HTTP request within 10 seconds. In the grand scheme of things, it is very, very lenient and you shouldn't have to twiddle with any settings to make it work.

The "timeout during connect" error is usually due to the port being closed or a firewall blocking the connection.

3 Likes

In this case port 80 is always open/not blocked by a firewall.

Using --standalone and getting Timeout during connect are a very rare sight.

I suspect that your server resources might have been very low, or too slow, to process the request in time.

Also, as these are default, there is no need to include them in the request:

And if the cert is a renewal, then just do:
certbot renew

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.