Timeout during connect (likely firewall problem) | port 80 is opened

Nicholas · April 6, 2021, 2:53pm

I wanted to renew my certificates for my website but I cant seem to do it and it is expiring soon .

My domain is: faruse.com

I ran this command:sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/faruse.com.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert is due for renewal, auto-renewing...
    Plugins selected: Authenticator nginx, Installer nginx
    Renewing an existing certificate
    Performing the following challenges:
    http-01 challenge for faruse.com
    http-01 challenge for www.faruse.com
    Waiting for verification...
    Challenge failed for domain faruse.com
    Challenge failed for domain www.faruse.com
    http-01 challenge for faruse.com
    http-01 challenge for www.faruse.com
    Cleaning up challenges
    Attempting to renew cert (faruse.com) from /etc/letsencrypt/renewal/faruse.com.conf produced an unexpected error: Some challenges have failed.. Skipping.
    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/faruse.com/fullchain.pem (failure)

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ** DRY RUN: simulating 'certbot renew' close to cert expiry
    **          (The test certificates below have not been saved.)

    All renewal attempts failed. The following certs could not be renewed:
      /etc/letsencrypt/live/faruse.com/fullchain.pem (failure)
    ** DRY RUN: simulating 'certbot renew' close to cert expiry
    **          (The test certificates above have not been saved.)
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1 renew failure(s), 0 parse failure(s)

    IMPORTANT NOTES:
     - The following errors were reported by the server:

       Domain: faruse.com
       Type:   connection
       Detail: Fetching
       https://faruse.com/.well-known/acme-challenge/RnMkdZ5vu44QA4Xu_x0dqhXjQnfNhIiviK8QRfTbhBE:
       Timeout during connect (likely firewall problem)

       Domain: www.faruse.com
       Type:   connection
       Detail: Fetching
       https://www.faruse.com/.well-known/acme-challenge/r5_ueYajWrZDNtmBgXFzijdnJggDzCgKte5rw1Cn-dc:
       Timeout during connect (likely firewall problem)

       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address. Additionally, please check that
       your computer has a publicly routable IP address and that no
       firewalls are preventing the server from communicating with the
       client. If you're using the webroot plugin, you should also verify
       that you are serving files from the webroot path you provided.

My web server is (include version): nginx 1.18 with Nodejs + express in port 5000

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

I have been reading and it seems like most says that it is because my port 80 is not open, but when I run : sudo netstat -ntlp | grep LISTEN
I get this :

tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      1061232/mysqld
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1061232/mysqld
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2732734/nginx: mast
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      600/systemd-resolve
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1971950/sshd: /usr/
tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN      2407557/python3
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2732734/nginx: mast
tcp6       0      0 :::5000                 :::*                    LISTEN      2407862/node /root/
tcp6       0      0 :::80                   :::*                    LISTEN      2732734/nginx: mast
tcp6       0      0 :::22                   :::*                    LISTEN      1971950/sshd: /usr/
tcp6       0      0 :::443                  :::*                    LISTEN      2732734/nginx: mast

So I am not sure what am i doing wrong, any help will be appreciated.

Thanks in advance.

stevenzhu · April 6, 2021, 2:58pm

Hi,

I couldn't find any issues regarding why your web server doesn't work (beside Maybe Cloudflare blocked those requests?). But since you are using Cloudflare, the best way to solve this is to utilize Cloudflare's DNS API with certbot Cloudflare plugin.
You can obtain the plugin via SNAP, the instructions are available on certbot.eff.org

JuergenAuer · April 6, 2021, 2:58pm

Hi @Nicholas

first, your configuration is buggy. If you use --nginx, a temporary rule is added, so https is never checked. But your result says, that https is checked.

Second: I can open your https url. If Letsencrypt can't, you have a regional blocking firewall.

PS: If you use Cloudflare, Cloudflare redirects to https -> use webroot, not --nginx.

Nicholas · April 6, 2021, 3:10pm

Hi @stevenzhu , Thankyou for your response, I will try snaps for now, but will not clash with the existing configurations of certbot? Thanks

stevenzhu · April 6, 2021, 3:14pm

It's always better if you backup your /etc/letsencrypt/ folder before you do the upgrade or switch.
Also, (After backup) You can uninstall your certbot and get it via snap, since it provides more support to certbot (more plugins etc).

Nicholas · April 6, 2021, 3:16pm

Hi @JuergenAuer , Thankyou for your response,

I see, how should I fix this in the nginx server block ?

Hmmm okay, How can i unblock this regional blocking firewall ? I tried to renew with webroot, but it told me to insert my webroot, where as i believe my files are handled by connecting to a port and not from a directory.
here is my nginx server blocks:

server {
	root /var/www/html;

	index index.html index.htm index.nginx-debian.html;

	server_name faruse.com www.faruse.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		proxy_pass http://localhost:5000;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection 'upgrade';
		proxy_set_header Host $host;
		proxy_cache_bypass $http_upgrade;
	}
	
	location /iapi {
		proxy_pass http://localhost:7000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
	}

	location ~ ^/.well-known/acme-challenge/*{
		allow all;
	}


    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/faruse.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/faruse.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot




}

Nicholas · April 6, 2021, 3:30pm

Managed to renew my certificates by using snap @stevenzhu Thankss! Now my certificates expires in 89 days.
But a concern of mine is when I try to do a dry run, it still gives me the same error. Is there any way to fix this?

stevenzhu · April 6, 2021, 3:31pm

Here's what i did to handle those validation (and bypass proxy).

Create a new folder in your nginx document root, then make two sub-folders.
basically mkdir -p /var/www/cert-validation//.well-known/acme-challenge/

	location ~ ^/.well-known/acme-challenge/*{
		root /var/www/cert-validation/;
	}

You need to move the above mentioned location block above all proxy blocks, thus avoiding the request being send to the proxy (tbh, I don't know if this is necessary)
Then, whenever you use webroot validation, go with --webroot-path /var/www/cert-validation/
You can reuse the same validation path for multiple website configs.

stevenzhu · April 6, 2021, 3:32pm

I think you might created a duplicate certificate (created a new one instead of renew the old one). You might want to dig into your letsencrypt renewal configuration files.
try sudo certbot certificates

Nicholas · April 6, 2021, 3:34pm

@stevenzhu Here is what im getting:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: faruse.com
    Serial Number: 480f7b570872dc50311b8727628590145cb
    Key Type: RSA
    Domains: faruse.com www.faruse.com
    Expiry Date: 2021-07-05 14:24:11+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/faruse.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/faruse.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

There seems to be only one certificate..

stevenzhu · April 6, 2021, 3:38pm

The output looks good.

When you try to renew it (--dry-run), did it say it uses DNS-01 validation? Or it still use HTTP-01?

Nicholas · April 6, 2021, 3:39pm

@stevenzhu It seems to still be using http-01.
here are the logs:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/faruse.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for faruse.com and www.faruse.com
Performing the following challenges:
http-01 challenge for faruse.com
http-01 challenge for www.faruse.com
Waiting for verification...
Challenge failed for domain faruse.com
Challenge failed for domain www.faruse.com
http-01 challenge for faruse.com
http-01 challenge for www.faruse.com
Cleaning up challenges
Failed to renew certificate faruse.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/faruse.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: faruse.com
   Type:   connection
   Detail: Fetching
   https://faruse.com/.well-known/acme-challenge/5zDlnox4raJAtB6xmOB5TEgXckeJafD-b0SAsgPTunM:
   Timeout during connect (likely firewall problem)

   Domain: www.faruse.com
   Type:   connection
   Detail: Fetching
   https://www.faruse.com/.well-known/acme-challenge/iKn37CJAitiX6wfAobeJM3b4dvwQME0IxHKXt6-iAGw:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

stevenzhu · April 6, 2021, 3:42pm

Then, can you show the content of /etc/letsencrypt/renewal/faruse.com? (It may be a folder, if so, please share the configuration file...)

In this case, we might need to backup the config file and attempt to modify it to save the changes. (Which should be done automatically when you renewed the certificate today)...

@schoen @griffin Can you take a look at this when you are available? I haven't use certbot for a year so I'm not confident to advise @Nicholas to modify his renewal configuration file...

Nicholas · April 6, 2021, 3:46pm

@stevenzhu
here is the content of the conf file

# renew_before_expiry = 30 days
version = 1.13.0
archive_dir = /etc/letsencrypt/archive/faruse.com
cert = /etc/letsencrypt/live/faruse.com/cert.pem
privkey = /etc/letsencrypt/live/faruse.com/privkey.pem
chain = /etc/letsencrypt/live/faruse.com/chain.pem
fullchain = /etc/letsencrypt/live/faruse.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = 5b50d275039d6d0a10f633fb26fa77bc
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory

Ah i see..... Thankyou very much for your support @stevenzhu ! Would be great if I am able to automatically re new the certificates

stevenzhu · April 6, 2021, 3:49pm

Basically, the line authenticator should be replaced with the Cloudflare-dns parameter (Installer nginx can be leave unchanged, as it will help you reload nginx when new certificate is up). The primary issue is I have no idea what is the name of cloudflare dns in this field...
Sorry!

Nicholas · April 6, 2021, 3:52pm

I see, thankyou very much for specifying where is the problem! really appreciate your support @stevenzhu

Nicholas · April 6, 2021, 3:53pm

Would be looking forward to @schoen or @griffin reply

griffin · April 6, 2021, 5:07pm

@Nicholas

Welcome to the Let's Encrypt Community

I will look into this after I return from lunch.

@stevenzhu

Thanks for tagging me. Yes, I can certainly help resolve this.

Nicholas · April 6, 2021, 5:57pm

Thankyou very much @griffin ! Really appereciate the support I have been getting so far

griffin · April 6, 2021, 7:24pm

Taking a bit longer than I hoped, but should be back with you in about 1.5h.