The server could not connect to the client to verify the domain

My domain is:
canberrasocial.net

I ran this command:
certbot certonly --standalone -d canberrasocial.net

It produced this output:
Failed authorization procedure. canberrasocial.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.canberrasocial.net/.well-known/acme-challenge/HUjh6UI-LyvbECAa9VK37ELmqUdup8y2oim10yB59WM: Timeout during connect (likely firewall problem)

My web server is (include version):
nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):
Docker on Ubuntu 18.04 x64

My hosting provider, if applicable, is:
vultr

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes, I have a root login.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Doing everything on the command line.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

I am following the instructions to create a Mastodon server which can be found here:

I am stuck at the following step:
You need to create the certificate twice - once with the TLS SNI method and the second time using the webroot method.
sudo certbot certonly --standalone -d example.com

Note that nginx is NOT running at this point. If I try to run it, it complains that the certificate is missing.

1 Like

You have an (unrelated) issue with your DNS records:

canberrasocial.net.     1800    IN      A       192.64.119.125
canberrasocial.net.     1799    IN      A       45.76.124.78

One of those (the 192. address) is the Namecheap URL forwarding server. You’ll want to get rid of it, otherwise half your traffic will go to the wrong place.

Check the firewall in your vultr.com control panel. You need to allow TCP ports 80 and 443. Currently they appear to be filtered, and I can only get through to port 22.

Check the firewall on your operating system as well (probably ufw status if you’re using Ubuntu).

1 Like

Hi az. I’m attaching a copy of the DNS configuration I have set up with namecheap. I don’t know where the 192.x IP is coming from because all my records show the 45.x address, which is the correct one.

Have I done something wrong? Please pardon my inexperience, I am new to server and domain admin.

1 Like

I imagine it’s the “URL Redirect Record” causing it. It’d be better to just handle the redirect on your own server.

1 Like

Okay, I deleted that one. :slight_smile:

1 Like

Looks good! (Not that it’ll fix your timeout problem).

1 Like

I checked by pinging locally from my own machine and the domain resolves correctly:

ping-canberrasocial.net

So I suppose one problem fixed and back to the original problem! :slight_smile:

1 Like

Stupid question: does nginx need to be running when I execute the certbot certonly command?

I’m following some instructions which indicate it should not be running. Also, when I try to run it, nginx fails and complains that the certificate is missing.

1 Like

nginx shouldn’t be running if you are using --standalone.

That would not be the cause of your current problem anyhow. Right now, the issue is at a networking/firewall level.

1 Like

Yep, of course you mentioned that. I checked and you are quite correct on the ports.

To Action From


22/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
22 (v6) DENY Anywhere (v6)

Any suggestions for where I can get some info on configuring the firewall?

1 Like

Is that ufw's output? If so, it’s pretty much just:

ufw allow http
ufw allow https
1 Like

Oh man, super easy! Yes, that worked and now the standalone certificate command works too. Thank you so much!

2 Likes