Timeout during connect (likely firewall problem) (once again...)

My domain is: vault.burstein.de
My web server is (include version):nginx
The operating system my web server runs on is (include version): Ubuntu LTS 20.04 (in lxc)
My hosting provider, if applicable, is: none/selfhosted
I can login to a root shell on my machine (yes or no, or I don't know): yes

So it seems i have this problem of getting proper validation for the LE certificates because of timeouts. I have read numerous topics about this but it is not clear to me why it is not working (this time). I have certificates in place for all my subdomains, but now (once again) i get these errors.

Im using acme.sh latest version, and when i try to get a new certificate for the above mentioned domain:
command - acme.sh command - Pastebin.com
debug output - debug output - Pastebin.com

So it seems port 80 cant be reached; also letsdebug gives me an error:
ANotWorking

Error

vault.burstein.de has an A (IPv4) record (92.39.23.246) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with vault.burstein.de/92.39.23.246: Get "http://vault.burstein.de/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
0ms: Making a request to http://vault.burstein.de/.well-known/acme-challenge/letsdebug-test (using initial IP 92.39.23.246)
9ms: Dialing 92.39.23.246
10000ms: Experienced error: context deadline exceeded

IssueFromLetsEncrypt

Error

A test authorization for vault.burstein.de to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

Fetching http://vault.burstein.de/.well-known/acme-challenge/2vavQ2daVJ5seXKJ2uAY2khp-UD6ifn8RtC-upx158s: Timeout during connect (likely firewall problem)

But when i try to curl -LIv vault.burstein.de/.well-known/acme-challenge/test from a different server (not homenetwork): https://pastebin.com/cvAk7SpF

So it seems in general the directory and even the files are accessible and served, but still letsencrypt has a problem.

What can i do?

1 Like

Well, Let'sDebug can't get to it, Let's Encrypt can't get to it, and testing from my system can't get to it.

$ curl http://vault.burstein.de/.well-known/acme-challenge/2vavQ2daVJ5seXKJ2uAY2khp-UD6ifn8RtC-upx158s
curl: (7) Failed to connect to vault.burstein.de port 80: Connection timed out

It needs to be accessible from everywhere on the Internet, but it seems to only be visible to you. You need to figure out what's blocking it (maybe something that blocks other parts of the world from where you are; maybe something your ISP has in place) and fix it to allow for port 80 connections from everywhere.

2 Likes

Hello @Burschi500 welcome to the community.
From where I sit at first glance your main issue must be related to the error message you were presented in the output of your command.

PORT    STATE    SERVICE
22/tcp  filtered ssh
80/tcp  filtered http
443/tcp filtered https

As @petercooperjr states... In order to obtain a certificate LE must be able to communicate with your server.

2 Likes

Stupid me, problem solved. Yes, its filtered - but only from where you are. I have some blocklists set up, including usa so this could not work. Therefore i see no "filtered" on port 80 - from where i am (my remote is also located in europe), but you and LE do.

Please close this thread. Or better delete it. Or let it stand here as a testimonial of my incompetence :slight_smile: :upside_down_face:

2 Likes

Glad you figured it out! It's surprisingly easy to forget about blocking rules in place (or not be aware of ones a predecessor put in) and it's surprisingly hard to test how a site works from "everywhere" out there on the Internet. Let's Encrypt actually checks from several vantage points (I don't even know if they're all in the USA) to ensure that you actually own your site as seen from "everywhere" on the Internet before issuing a certificate.

But don't worry, you weren't the first and won't be the last to be tripped up a little by it. :slight_smile:

2 Likes

You resolved the cert issue... Good job. Don't be too hard on yourself though, you provided perfect information for us to understand your situation.

You have working cert now but I am getting a 502 error when accessing your site. Not sure what that's all about.

2 Likes

... thats because the proxy is working, but the server behind it has not started yet. But after figuring this out ill get it up and running soon i think

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.