The server could not connect to the client to verify the domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
anthonycknighton.com

I ran this command:
sudo certbot certonly --standalone -d mail.anthonycknighton.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mail.anthonycknighton.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mail.anthonycknighton.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.anthonycknighton.com/.well-known/acme-challenge/KDDpwF-j8ubCG058geD85hxhsxMHDtIqsZZHQ6Cnwac: Timeout during connect (likely firewall problem)

My web server is (include version):
Raspberry Pi 4

The operating system my web server runs on is (include version):
Raspbian GNU/Linux 10

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Cloudflare

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

Welcome to the community @anthonyk

Using --standalone is trickier to debug than some other methods. The problem is likely to be in your router such as forwarding of port 80 or any firewall blocking access.

Try this:

sudo certbot certonly --standalone -d mail.anthonycknighton.com -v --debug-challenge --dry-run

That will pause certbot while it listens on port 80.
then, in a separate window or device, do:

curl -i http://mail.anthonycknighton.com

Right now you are likely to see a timeout - the same error as certbot showed in your post. Adjust your router and/or firewall until the curl returns something like:

HTTP/1.0 200 OK
Server: BaseHTTP/0.6 Python/3.8.10
Date: Thu, 13 Jan 2022 03:00:52 GMT
Content-Type: text/html

ACME client standalone challenge solver

You may need to try this multiple times until you get it working.

Once you get the successful connection, retry your original certbot command. That is, without the -v --debug-challenge --dry-run I had you add to it for debug. It should work fine then.

Post back if any questions

2 Likes

Thank you for the response. After seeing the output of

 sudo certbot certonly --standalone -d mail.anthonycknighton.com -v --debug-challenge --dry-run

and

curl -i http://mail.anthonycknighton.com

It definitely seems to be a firewall issue. Could it be possible that port 80 is not open? I am not very familiar with firewall configuration, but I at least know how to log into the router and make some rudimentary firewall changes. It is probably difficult to tell, but what changes do you recommend I make? I attached a screenshot of some output of those commands.

1 Like

Yes.

The left screen does not look like result of the --debug-challenge options I described. Looks like part of the log from your original request. Fine if that was intended.

Some ISPs block port 80 so if your router is setup right maybe check with them.

Maybe try a forum that supports your router for assistance on port forwarding and/or firewall.

4 Likes