Timeout during connect (likely firewall problem) - not my server's issue

My certificate contains 17 domains (all subdomains pointed to the same IP), which I added with
certbot certonly -d example.com -d sub1.example.com -d subNN.example.com

Every time I attempt renew the certificate, only a couple (if any) of domains get validated with no problem, the rest get Timeout during connect (likely firewall problem)
It's not something on my end, because I've tested access to acme-challenge files from outside of my local network and it works just fine. But most important evidence is when I run certbot renew again, couple more domains get validated until I hit failed validation limit
So, I have to run renewal process at least 9 times to get it renewed.

What's more curious, is my server's logs shows that acme-challenge/* files are being requested with 200 response code (which means they exist) usually only for a couple of domains at a time from 2 different IPs for each domain, yet the same domains that were requested sometimes still get "timeout" - WHAT?

Without the actual domain names we cannot give specific advice. You also did not answer many of the other questions on the form you should have been shown posting in the Help topic.

So, some general comments

A successful challenge should show at minimum 4 and probably 5 "200" replies from your server. If you see less that means something is blocking some Let's Encrypt servers.

Recently LE introduced new non-USA based server validation points. You should check whether you block by geography. If so, either un-block that or allow any /.well-known/acme-challenge/ URI from anywhere. Or, consider switching to the DNS Challenge if your auth DNS servers are not geo-blocked.

The answers to the other questions would have probably allowed us to pinpoint exactly what is happening.

3 Likes

Do you see anywhere in those failure messages "During Secondary Validation"?

3 Likes

@vanowm "Timeout during connect (likely firewall problem) - not my server's issue"
Probably the firewall problem is not your server (thus you are probably correct), but even if your server does firewall the issue is likely an external firewall problem to your server.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.