The server could not connect to the client to verify the domain :: Fetching... Timeout during connect (likely firewall problem)

Suspected Issues:

  • Conflict of ssl.conf options between mods-enabled/ssl.conf & options-ssl-apache.conf
  • Conflicts with Redirects lead to the challenge file not being found. e.g. Redirect permanent "/" "https://home.mainfamily.co.za/"

My domain is:
home.mainfamily.co.za <https://crt.sh/?q=home.mainfamily.co.za>

I ran this command:
sudo ufw disable
sudo service apache2 stop
sudo certbot certonly --standalone --preferred-challenges http -d home.mainfamily.co.za

[I have tried apache, standalone and webroot to authenticate with ACME CA]

It produced this output:
Failed authorization procedure. home.mainfamily.co.za (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://home.mainfamily.co.za/.well-known/acme-challenge/Zr_kf2Kg1-LHplZfrlSty4QNBeY8WSDDeaiW4ZRvJ3c: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: home.mainfamily.co.za
    Type: connection
    Detail: Fetching
    http://home.mainfamily.co.za/.well-known/acme-challenge/Zr_kf2Kg1-LHplZfrlSty4QNBeY8WSDDeaiW4ZRvJ3c:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): v2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04.5 LTS (i386)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

1 Like

Hi @wildcardjed

checking your domain there is no answer, only a timeout.

--standalone is hard to debug.

So try to use another validation method (--apache or --webroot).

Then it's possible to check if your port 80 is open, that's a minimal requirement using http validation.

1 Like

Hi,

Thanks for responding. With apologies the webserver was probably stopped when you tried. I have started it now.

I will send the output from --apache. Errors below.

/var/log/apache2/error.log shows the following:
[Thu Apr 29 13:23:16.204188 2021] [core:notice] [pid 30677] AH00094: Command line: '/usr/sbin/apache2'
[Thu Apr 29 13:23:32.434171 2021] [mpm_prefork:notice] [pid 30677] AH00171: Graceful restart requested, doing restart
[Thu Apr 29 13:23:32.971995 2021] [mpm_prefork:notice] [pid 30677] AH00163: Apache/2.4.29 (Ubuntu) OpenSSL/1.1.1 mod_perl/2.0.10 Perl/v5.26.1 configured -- resuming normal operations
[Thu Apr 29 13:23:32.972097 2021] [core:notice] [pid 30677] AH00094: Command line: '/usr/sbin/apache2'

Regards,
Jeremy

1 Like

I have only a timeout.

So if your webserver runs, you have something that blocks.

Or a wrong router configuration.

PS: Ah, now works https. But http is required.

1 Like

OK thanks - let me go review the router config and check with upstream ISP too.

1 Like

Seems the issue is with my ISP. I was not aware. Here is their response:

Good day

This is service is designed for home use
port 80 is restricted along with port 22,23, 53 and 8099

Regards,
NOC Manager

I will appeal to have to port opened.

1 Like

An alternative is to use DNS validation instead of http validation, if you can. acme-dns (GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely.) is worth looking at if you can't automate DNS updates with your current DNS provider.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.