Timeout and incomplete answer checking the validation file

Help
1

The same problem.
I try to get a certificate, and when checking the error:

Error: Fetching http://codes.mcdelivery.md/.well-known/acme-challenge/as44OoFsaJkeiSOdGqQPwtIjgi7tp2-12YMFSI17GNc: Timeout during connect (likely firewall problem)

Full Error: { “type”: “http-01”, “status”: “invalid”, “error”: { “type”: “urn:ietf:params:acme:error:connection”, “detail”: “Fetching http://codes.mcdelivery.md/.well-known/acme-challenge/as44OoFsaJkeiSOdGqQPwtIjgi7tp2-12YMFSI17GNc: Timeout during connect (likely firewall problem)”, “status”: 400 }, “url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/lc64Pb-5ecAMfrNaH7Ag0NpZGSRiBXK5jSP4bzQZTZM/19130584032”, “token”: “as44OoFsaJkeiSOdGqQPwtIjgi7tp2-12YMFSI17GNc”, “validationRecord”: [ { “url”: “http://codes.mcdelivery.md/.well-known/acme-challenge/as44OoFsaJkeiSOdGqQPwtIjgi7tp2-12YMFSI17GNc”, “hostname”: “codes.mcdelivery.md”, “port”: “80”, “addressesResolved”: [ “188.138.167.197” ], “addressUsed”: “188.138.167.197” } ] }

Domain “codes.mcdelivery.md” challenge3 failed. Response from “https://acme-v02.api.letsencrypt.org/acme/challenge/lc64Pb-5ecAMfrNaH7Ag0NpZGSRiBXK5jSP4bzQZTZM/19130584032” was:

but if you click on the link (http://codes.mcdelivery.md/.well-known/acme-challenge/as44OoFsaJkeiSOdGqQPwtIjgi7tp2-12YMFSI17GNc) through the browser, then everything is ok.

What is the problem?

2

Hi, @Reals,

From one of our validation endpoints, we’re able to reach your site with no problem. From another, though, a test traceroute stopped at the IP address right before your Web server’s, inside the same network (188.138.167.254).

Based on that, it’s very likely that you have (or your immediate upstream ISP has) a firewall or DDoS protection appliance that’s mistakenly blocking that validation endpoint. Could you please look into that, or reach out to them?

If you’re able to find out, we would be very curious to know what behavior or data source led to the block.

Generally speaking, in order to successfully use http-01 validation, your Web server needs to be open to all IP addresses.

Thanks!

3 Likes
3

Hi @Reals

I've moved your question to a new topic, makes things easier.

There is an additional, curious error, different from the error of Timeout during connect (likely firewall problem) on 8.43.85.0/24 - never seen earlier.

Checking your validation file

http://codes.mcdelivery.md/.well-known/acme-challenge/as44OoFsaJkeiSOdGqQPwtIjgi7tp2-12YMFSI17GNc

with my browser: The content:

as44OoFsaJkeiSOdGqQPwtIjgi7tp2-12YMFSI17GNc

That's an incomplete validation file. The validation file must include:

  • the filename ( as44OoFsaJkeiSOdGqQPwtIjgi7tp2-12YMFSI17GNc is the filename)
  • a dot "."
  • the hash of the public key, that's missing.

So a correct challenge file must have a content like

_auTTDlrpaGVcbpT3zVaNa0w_v2_7YmcqygiHFCO9yw.yCch0mVZpEbB8u8Y4kPLwLUuccDBa3JMMSs08-s3_k0

There must be a blocking instance that filtered something: Partial blocked (timeout), partial interrupted.

Perhaps a bot detection that doesn't work with Letsencrypt, perhaps a script of your hoster.

1 Like
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.