Timeout after connect (your server may be slow or overloaded)

I have run into an unusual problem running certbot. The connection times out while getting the .well-known/acme-challenge. However, while certbot is waiting for the reply, I look into the log file, find the challenge token and create a request to the server from my laptop (external network) and I successfully retrieve the verification. I have contacted the firewall provider for the hosting services, but it is weird that I can access the port, while certbot/letsencrypt cannot.

My domain is: www.bexome.com

I ran this command:

sudo certbot -v --apache -d www.bexome.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for www.bexome.com
Performing the following challenges:
http-01 challenge for www.bexome.com
Waiting for verification...
Challenge failed for domain www.bexome.com
http-01 challenge for www.bexome.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: www.bexome.com
  Type:   connection
  Detail: Fetching http://www.bexome.com/.well-known/acme-challenge/KAupwAm6TKHaar7o-gt1yiINL6u7XqEs4VKOPNJp3zM: Timeout after connect (your server may be slow or overloaded)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version):
apache2 2.4.41-4ubuntu3.10

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I'm getting an expected "404 file not found" error when I try the URL http://www.bexome.com/.well-known/acme-challenge, but as soon as I add the slash / or more to the end of that (e.g. http://www.bexome.com/.well-known/acme-challenge/ or http://www.bexome.com/.well-known/acme-challenge/test-file, I too am getting that timeout after an initial connection.

Does your Apache configuration have some kind of special handeling for the path /.well-known/acme-challenge/ ?

Thanks for the quick response,

Does your Apache configuration have some kind of special handeling for the path /.well-known/acme-challenge/ ?

No, there is no special handling for that path.
However, you are right; I also get the timeout when asking for the http://www.bexome.com/.well-known/acme-challenge/ or http://www.bexome.com/.well-known/acme-challenge/test-file

If it's that path specifically, it must be configured to be handled differently somewhere..

Maybe we should have a look at the relevant vhost config section OR the complete output of:
nginx -T

So I have multiple virtualhosts running on this server, and only if one accesses, the exact URL

http://"domainx"/.well-known/acme-challenge/

You get the time out. In all other regards, the server works normally.

Yes, I've checked all VHost in apache and they are as expected. No mention of `.well-known/acme-challenge/ any where

Since the protocol uses port 80 without any encryption, it could be possible that the hosting service firewall might be applying a specific rule to block that type of URL, I'm checking with them to get that out of the list.

Please, run

grep -ir '<Location' /etc/apache2

https://httpd.apache.org/docs/2.4/mod/core.html#location

That's also a possibility, but it can mean two things:

1. They want to sell you a certificate;
2. They'll handle free certificates for you.

@llopera I notice your websites, when accessed throug HTTPS (ignoring the certificate error) are redirecting to http://www.<site>:8893/ ? Why is that? Is there such a redirect internally too on port 80 perhaps?

How about some complicated parsing/URL validation?

That is intended, so the website is actually hosted in a backend server, but the frontend handles the SSL protocol. So I created a temporary HTTP site on the front-end to deal with the certification issue. And the redirect is just because the backend likes to force one access path, and right now we have to tunnel to it to keep working on it.

So that HTTPS to weird-port redirect is in no way connected to your HTTP site on port 80?

Nope, not related. What is interesting though is that if you try for example:

https://www.eghi-projekt.de/.well-known/acme-challenge/ 

we get the expected 404 error, but if you then try

http://www.eghi-projekt.de/.well-known/acme-challenge/ 

you get the timeout.

And this happens to all domains handled by the frontend. Even those that do not use letsencrypt certificates.

You just said HTTP and HTTPS are completely unrelated. So I'm not surprised one gives a 404 and the other a time out: the issue is clearly with your HTTP setupaccess. Or hosting provider, as you mentioned earlier.

Thank you all for the comments. They were helpful to narrow down the problem to a firewall issue. They have done their config magic, and now everything works again.

And by config magic, what they did was add the ACME protocol to their list of allowed applications.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.