Timeout during connect (likely firewall problem), tried disable firewall

nullentry · December 2, 2023, 8:52pm

I tried to open port and even disable firewall.
I have to use IPv6.

I ran this command:

sudo certbot certonly --standalone

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): files.soxd.hu
Requesting a certificate for files.soxd.hu

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: files.soxd.hu
  Type:   connection
  Detail: 2a02:ab88:7200:d600:f42f:320e:56de:ced7: Fetching http://files.soxd.hu/.well-known/acme-challenge/30uPiBsQL4VI8K6LFW2tC6pEzxTzyf9CbStpmk6wULU: Timeout during connect (likely firewall problem)

My web server is (include version): filebrowser (GitHub - filebrowser/filebrowser: 📂 Web File Browser)

The operating system my web server runs on is (include version): Linux Mint 20.3

I can login to a root shell on my machine (yes or no, or I don't know): yes (its my computer)

The version of my client is: certbot 2.7.4

MikeMcQ · December 2, 2023, 9:07pm

Welcome to the community @nullentry

I see why you may need to use --standalone but it is harder to debug.

First, are you sure your ISP allows port 80 connections to you? It looks to be a Vodafone IP and if residential sometimes ISP don't allow port 80 (HTTP).

But, for now let's assume it should work. Can you try this command

sudo certbot certonly --standalone -d files.soxd.hu --debug-challenges -v

This will show you a URL and then ask to press enter. Do NOT press enter. Just leave it paused like that and let us know when it is ready. Or, while it is paused try to reach your domain using http://files.soxd.hu from outside your local network. Like using a mobile phone with wifi disabled to use the carrier's network.

You should be able to get some response from Certbot using --debug-challenges while it is paused.

If you get a timeout you will need to inspect each part of your local network to see where it may be blocked. And, contact your ISP about port 80.

Osiris · December 2, 2023, 9:21pm

Are you sure that's the correct IP address? Because it's completely down:

osiris@erazer ~ $ sudo nmap -sS -6 files.soxd.hu
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-02 22:02 CET
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds
osiris@erazer ~ $ sudo nmap -sS -6 -Pn files.soxd.hu
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-02 22:03 CET
Nmap scan report for files.soxd.hu (2a02:ab88:7200:d600:f42f:320e:56de:ced7)
Host is up.
All 1000 scanned ports on files.soxd.hu (2a02:ab88:7200:d600:f42f:320e:56de:ced7) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 202.11 seconds
osiris@erazer ~ $

~~Maybe you're behind CG-NAT?~~CG-NAT would be unlikely for IPv6..

nullentry · December 2, 2023, 9:23pm

The webserver on that computer is not running currently

Osiris · December 2, 2023, 9:24pm

Even a non-running webserver should show a response on nmap. Usually an OS responds with "connection closed" instead of just nothing.

nullentry · December 2, 2023, 9:25pm

try now

MikeMcQ · December 2, 2023, 9:27pm

I can't reach your domain. Just times out. You may need to ask your ISP

nullentry · December 2, 2023, 9:28pm

i can see it with nmap, or its not working from outside?

Osiris · December 2, 2023, 9:29pm

It's still not yet working from the public internet.

nullentry · December 2, 2023, 9:29pm

you have to have ipv6 address because my isp uses nat on ipv4 addresses and i cant host

Osiris · December 2, 2023, 9:31pm

What firewalls have you opened already?

MikeMcQ · December 2, 2023, 9:31pm

I did.

curl -i6 -m10 http://files.soxd.hu
curl: (28) Connection timed out after 10001 milliseconds

# And
nmap -6 files.soxd.hu -Pn -p22,25,80,443
Nmap scan report for files.soxd.hu (2a02:ab88:7200:d600:f42f:320e:56de:ced7)
PORT    STATE    SERVICE
22/tcp  filtered ssh
25/tcp  filtered smtp
80/tcp  filtered http
443/tcp filtered https

nullentry · December 2, 2023, 9:33pm

I use ufw, i've already tried to disable it

nullentry · December 2, 2023, 9:37pm

now i've disabled the firewall in the router settings, can you reach it now?

Osiris · December 2, 2023, 9:39pm

Yes, I can. Port 80 is open, port 443 is closed (thus open in the firewall) as well as 8080.

It's probably the router, ufw looks pretty good (UDP port 80 isn't necessary though).

nullentry · December 2, 2023, 9:41pm

so what ports should i add to port forwarding in the router settings?

Osiris · December 2, 2023, 9:41pm

TCP port 80 for the http-01 challenge to get a certificate and for a HTTP to HTTPS redirect and TCP port 443 for HTTPS.

nullentry · December 2, 2023, 9:46pm

Thank you for the help!

system · January 1, 2024, 9:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Timeout during connect (likely firewall problem) Help	3	775	May 25, 2019
Timeout during connect (likely firewall problem) Help	10	2788	November 27, 2021
Timeout during connect (likely firewall problem) Help	21	111	November 25, 2024
SSL certificate error (timeout during connection [likely firewall probrem] Help	8	1179	September 3, 2023
Certbot certonly --standalone -d smtp.example.com Help	10	50	October 20, 2024

Timeout during connect (likely firewall problem), tried disable firewall

Related topics