Timeout after connect

Hello! I've been using certbot for a number of years for certificates on my academic department's web server, but it stopped working recently.

My domain is: webwork.piedmont.edu

I ran this command: sudo certbot

*It produced this output: *
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): webwork.piedmont.edu
Requesting a certificate for webwork.piedmont.edu

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: webwork.piedmont.edu
Type: connection
Detail: 204.126.179.40: Fetching http://webwork.piedmont.edu/.well-known/acme-challenge/3ajF-3RmeDZRvX8-nnM_wP1nx11MsWFCNDlsLAzugQo: Timeout after connect (your server may be slow or overloaded)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is: Piedmont University

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.29.0

Hi @dtorrance, and welcome to the LE community forum :slight_smile:

Does the problem persist or was it just a one time event?
[try using the testing environment, with: sudo certbot --dry-run]

2 Likes

You are probably affected by a Palo Alto Networks brand firewall. Test acme challenge requests work but not if they use the same "user agent" as Let's Encrypt servers. I describe this in more detail here:

Tests to your server are below. Both should work. Show these to your network admins.

curl -I -m 10 webwork.piedmont.edu/.well-known/acme-challenge/Test123
HTTP/1.1 404 Not Found
Date: Mon, 08 Aug 2022 16:47:37 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

curl -I -m 10 webwork.piedmont.edu/.well-known/acme-challenge/Test123 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received
6 Likes

Excellent -- thanks for your quick reply! I see now in another thread (Palo Alto firewall users with failing HTTP-01 challenges: enable "acme-protocol") that this just started this past spring, which is right around when the problem surfaced. I'll contact our university IT department and hopefully get things cleared up.

Thanks again!

5 Likes

Update: IT enabled "acme-protocol" and I was able to renew the certificate! Thanks again!!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.