'Timeout during connect (likely firewall problem)' From Within Plesk

nwehneman · September 13, 2022, 6:31pm

My domain is: u22961052.onlinehome-server.com

I ran this command: 'Get it free' from within Plesk [I'm trying to get things working within Plesk if at all possible before resorting to the command line]

It produced this output: > Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/153002134597.

Details:

Type: urn:ietf:params:acme:error:connection

Status: 400

Detail: 74.208.79.181: Fetching https://u22961052.onlinehome-server.com/.well-known/acme-challenge/mgMFlXo1A5SAhw2kPaXD4dJUJr9hwHktMfd1L76ml_0: Timeout during connect (likely firewall problem)

My web server is (include version): Nginx 1.20.2

The operating system my web server runs on is (include version): Ubuntu 20.04.5 LTS

My hosting provider, if applicable, is: IONOS 1 and 1

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk 18.0.43

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.30.0 [although I do not know if Plesk uses that client or not]

Reading through the other topics with a similar title, I saw a reference to /var/log/letsencrypt/letsencrypt.log. That file contains the following. However, the timestamps in that file do not line up with my Plesk-initiated requests and re-running the Plesk-initiated request does not change the log file.

2022-09-13 05:50:03,899:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-09-13 05:50:04,536:DEBUG:certbot._internal.main:certbot version: 1.30.0
2022-09-13 05:50:04,536:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2344/bin/certbot
2022-09-13 05:50:04,536:DEBUG:certbot._internal.main:Arguments: ['-q', '--preconfigured-renewal']
2022-09-13 05:50:04,536:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-09-13 05:50:04,622:DEBUG:certbot._internal.log:Root logging level set at 40
2022-09-13 05:50:04,633:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/u22961052.onlinehome-server.com.conf
2022-09-13 05:50:04,661:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f0d5039a460> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f0d5039a460>
2022-09-13 05:50:04,690:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-09-13 05:50:04,851:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-09-13 05:50:04,853:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/u22961052.onlinehome-server.com/cert2.pem is signed by the certificate's issuer.
2022-09-13 05:50:04,854:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/u22961052.onlinehome-server.com/cert2.pem is: OCSPCertStatus.GOOD
2022-09-13 05:50:04,859:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2022-09-13 05:50:04,860:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2022-09-13 05:50:04,865:DEBUG:certbot._internal.plugins.selection:Selecting plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f0d5039efa0>
2022-09-13 05:50:04,866:DEBUG:certbot._internal.display.obj:Notifying user:

2022-09-13 05:50:04,866:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2022-09-13 05:50:04,866:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/live/u22961052.onlinehome-server.com/fullchain.pem expires on 2022-11-28 (skipped)
2022-09-13 05:50:04,866:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2022-09-13 05:50:04,866:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-09-13 05:50:04,866:DEBUG:certbot._internal.renewal:no renewal failures

MikeMcQ · September 13, 2022, 6:44pm

I am puzzled by your question. Can you explain more?

Because I see from the crt.sh here that you have been getting a cert for that name very regularly for several months now.

And, your server is sending out the most recent cert issued. Which you can see with an SSL Test site like this one

It looks like you have a properly configured system working. What do you hope to improve?

MikeMcQ · September 13, 2022, 6:48pm

Oh, I do see a problem using IPv6 connecting to your site. You should work with your hosting service or ISP to resolve that or remove the AAAA record from your DNS

nslookup u22961052.onlinehome-server.com
A    Address: 74.208.79.181
AAAA Address: 2607:f1c0:803:1a00::1:6297

Tests to each get this

IPv4 correct:
curl -I4  u22961052.onlinehome-server.com
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Tue, 13 Sep 2022 18:46:14 GMT
Location: https://u22961052.onlinehome-server.com/

IPv6 fails:
curl -I6 -m10  u22961052.onlinehome-server.com
curl: (28) Failed to connect to u22961052.onlinehome-server.com port 80 after 5002 ms: Connection timed out

system · October 13, 2022, 6:48pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.