Timeout during connect (likely firewall problem)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

Domain: abr.eplus.net

I ran this command:

./certbot-auto -v renew --preferred-challenges http --debug-challenges --dry-run

It produced this output:

./certbot-auto -v renew --preferred-challenges http --debug-challenges --dry-run
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/abr.eplus.net.conf


Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f9beb5aa750> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f9beb5aa750>
Var dry_run=True (set by user).
Var server=set([‘staging’, ‘dry_run’]) (set by user).
Var dry_run=True (set by user).
Var server=set([‘staging’, ‘dry_run’]) (set by user).
Var account=set([‘server’]) (set by user).
Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
http://ocsp.int-x3.letsencrypt.org:80 “POST / HTTP/1.1” 200 527
OCSP response for certificate /etc/letsencrypt/archive/abr.eplus.net/cert6.pem is signed by the certificate’s issuer.
OCSP certificate status for /etc/letsencrypt/archive/abr.eplus.net/cert6.pem is: OCSPCertStatus.GOOD
Should renew, less than 30 days before certificate expiry 2020-04-02 04:36:08 UTC.
Cert is due for renewal, auto-renewing…
Requested authenticator webroot and installer nginx
Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f9beb5d59d0>
Prep: True
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f9be7c58c50>
Prep: True
Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f9be7c58c50> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f9beb5d59d0>
Plugins selected: Authenticator webroot, Installer nginx
Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-staging-v02.api.letsencrypt.org/acme/acct/8733218’, new_authzr_uri=None, terms_of_service=None), 10bfd4fb9fa002a2e85602fd90e594a7, Meta(creation_host=u’cdn01.eplus.net’, creation_dt=datetime.datetime(2019, 3, 28, 13, 42, 18, tzinfo=)))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
https://acme-staging-v02.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 724
Received response:
HTTP 200
Server: nginx
Date: Sat, 14 Mar 2020 07:04:48 GMT
Content-Type: application/json
Content-Length: 724
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“QVwa5Aw9Yrk”: “Adding random entries to the directory”,
“keyChange”: “https://acme-staging-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org/docs/staging-environment/
},
“newAccount”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-staging-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert
}
Renewing an existing certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 “HEAD /acme/new-nonce HTTP/1.1” 200 0
Received response:
HTTP 200
Server: nginx
Date: Sat, 14 Mar 2020 07:04:48 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0001ZP_DBhh6aJFGwbCc7tJEZgZgHUYZV4K4vdDsRT1zl9Y
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

Storing nonce: 0001ZP_DBhh6aJFGwbCc7tJEZgZgHUYZV4K4vdDsRT1zl9Y
JWS payload:
{
“identifiers”: [
{
“type”: “dns”,
“value”: “abr.eplus.net
}
]
}
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
“protected”: “eyJub25jZSI6ICIwMDAxWlBfREJoaDZhSkZHd2JDYzd0SkVaZ1pnSFVZWlY0SzR2ZERzUlQxemw5WSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC84NzMzMjE4IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwgCiAgICAgICJ2YWx1ZSI6ICJhYnIuZXBsdXMubmV0IgogICAgfQogIF0KfQ”,
“signature”: “WgQfM9uKbI9qmMIAL7jrXtPwiGn8R45lm-MBWWSJUodwAolqFwKgXB0ISeFJyv0lIQcCqvqhEr_2QPMRQOo8BMouGVvoELuKQZUTOfCBgn2vO4cI4YbulQsUwSJjn29iUjf6Rcx1xXkDfFSW4_a6hUwNfPCdM8b0t14VZmCnE5MWvRlwY1DI60aKYua0XeQAhSIFQ8t2n19AuXN1Y7iwmOJiYXr3sjg0I4aAPzQVzpMqaoUp69YM4BunJUNNU57aF3ZV4t2GB8tSwfVAHQEGVD7uzJ3T2tVjgZiORTjpZgfut_6eKVrIdcfEN8M4xJcws8XEs4R1jgBZM7w-7qlAig”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/new-order HTTP/1.1” 201 354
Received response:
HTTP 201
Server: nginx
Date: Sat, 14 Mar 2020 07:04:48 GMT
Content-Type: application/json
Content-Length: 354
Connection: keep-alive
Boulder-Requester: 8733218
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/8733218/79287955
Replay-Nonce: 00016JO6TnWl_63P8gyplJYdzjNE0nlqKaXS5Sdd682ZIcY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“status”: “pending”,
“expires”: “2020-03-21T07:04:48.449009255Z”,
“identifiers”: [
{
“type”: “dns”,
“value”: “abr.eplus.net
}
],
“authorizations”: [
https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/43664656
],
“finalize”: “https://acme-staging-v02.api.letsencrypt.org/acme/finalize/8733218/79287955
}
Storing nonce: 00016JO6TnWl_63P8gyplJYdzjNE0nlqKaXS5Sdd682ZIcY
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/43664656:
{
“protected”: “eyJub25jZSI6ICIwMDAxNkpPNlRuV2xfNjNQOGd5cGxKWWR6ak5FMG5scUthWFM1U2RkNjgyWkljWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80MzY2NDY1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzg3MzMyMTgiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “”,
“signature”: “Zzs6QxQ76FcudJp25JyeuHvOsx1q0DPa-tXg1B7yV6H-ozZUU11G5o4Y1QsaO4aKjQ9-Ichf63UBBXER9llWB5O_bbt5wD6GH6rG_pthpYVLAh3eh9qRerYt1NNY4rdvnQ79EoN1jw3XtMBbxN–QmRXi2xbwDgl72L9ieOHlS7-389VsV2r57Zlm59USSdthOWSTrGRyRE1eMVBYrL3A0p1EYCX5NwapYO3C1ttQ39-wCiAE9TwfaJZ4k33RCGkCNp2UEKkeZkcX64sNetkKkIpfnOD3_Ne2J-LmwQjXrsYlWiEUKJ0iywJHnXJ1BevIcPjbMEEnwqtPfMKwErh7w”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/43664656 HTTP/1.1” 200 809
Received response:
HTTP 200
Server: nginx
Date: Sat, 14 Mar 2020 07:04:48 GMT
Content-Type: application/json
Content-Length: 809
Connection: keep-alive
Boulder-Requester: 8733218
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 000156rVQYQj5Qrejqak39JGeguzOoqGaPbGWUb6V4lEd2I
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “abr.eplus.net
},
“status”: “pending”,
“expires”: “2020-03-21T07:04:48Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/LD6r_Q”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/mdtPuA”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/czmHQA”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
}
]
}
Storing nonce: 000156rVQYQj5Qrejqak39JGeguzOoqGaPbGWUb6V4lEd2I
Performing the following challenges:
http-01 challenge for abr.eplus.net
Using the webroot path /usr/share/nginx/html for all unmatched domains.
Creating root challenges validation dir at /usr/share/nginx/html/.well-known/acme-challenge
Attempting to save validation to /usr/share/nginx/html/.well-known/acme-challenge/JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM
Waiting for verification…


Challenges loaded. Press continue to submit to CA. Pass “-v” for more info about
challenges.


JWS payload:
{
“type”: “http-01”,
“resource”: “challenge”
}
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/LD6r_Q:
{
“protected”: “eyJub25jZSI6ICIwMDAxNTZyVlFZUWo1UXJlanFhazM5SkdlZ3V6T29xR2FQYkdXVWI2VjRsRWQySSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My80MzY2NDY1Ni9MRDZyX1EiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC84NzMzMjE4IiwgImFsZyI6ICJSUzI1NiJ9”,
“payload”: “ewogICJ0eXBlIjogImh0dHAtMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“signature”: “KwHEKV1MHZE9es3KPkItmxmN_rY-BQDqHVS54SbfEVgJgcdJuICySJjsUuUVSMFu1N9wWOqjnoi0QRBLwruvBse0gGXBzXjKVWGgKff4pgj1695GgqsItAZNEAfBEu6ZAtfeXpSPd2j0YjUoYLgBbaB5-90Bmlui_P9acvL9XPueoAxIei_0CS_hHRQUUiTj6hWPhg2Xa8Ct4wWeAQUom6Fyfp_RMEAjpKxz5e1tbsA6yeWEK8mNa8V67-E0ZMBzHcZmHi9WmveUHlSa-hovGBfsN0FKwiETzxagpDaAhbjyg3IvKLUxdSu7frVQuHND09xjFPo266BUgj9XU9rLRg”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/chall-v3/43664656/LD6r_Q HTTP/1.1” 200 191
Received response:
HTTP 200
Server: nginx
Date: Sat, 14 Mar 2020 07:04:48 GMT
Content-Type: application/json
Content-Length: 191
Connection: keep-alive
Boulder-Requester: 8733218
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/43664656;rel=“up”
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/LD6r_Q
Replay-Nonce: 0002xw-OO3pScYaKcllGQZyLAbiqKshv44iV2W2UNT0H1Ms
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/LD6r_Q”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
}
Storing nonce: 0002xw-OO3pScYaKcllGQZyLAbiqKshv44iV2W2UNT0H1Ms
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/43664656:
{
“protected”: “eyJub25jZSI6ICIwMDAyeHctT08zcFNjWWFLY2xsR1FaeUxBYmlxS3NodjQ0aVYyVzJVTlQwSDFNcyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80MzY2NDY1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzg3MzMyMTgiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “”,
“signature”: “IylRDR2Gt1hE3gLe96-m7-19yiYIYTceSm3z9-j26-iaGgCcXzsbL7RTzXjnRfFZWP4sf2N8zxmKxKgvLeXQ-RvbuW0Om6rRfpB4ZPoBs_LjnIs18ysCvXEbQdRgwdb7IrUHXzRSKNnJHoeippCDCmp-scN1YZimrdswbzZEXs3dVFOWsuafyNu41wWyS5wvAx34dT_wVfLkecMQlCX-2L65aDsN0nsEjU3Dp7h5qWyGlR1KMSsKTrqnpgPi-u-Zsib4bmpxvZRm5eDWM6oqEPVM7fzWu9P247LDNcjocRav7AxpS_VbswomL7qYaPrbjj6de0-9RoGyVaB32qzVBg”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/43664656 HTTP/1.1” 200 809
Received response:
HTTP 200
Server: nginx
Date: Sat, 14 Mar 2020 07:04:49 GMT
Content-Type: application/json
Content-Length: 809
Connection: keep-alive
Boulder-Requester: 8733218
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 00023BwXConnqh3lEaL3uxZdk2twRd35lt9DdQ_AGM1IiV8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “abr.eplus.net
},
“status”: “pending”,
“expires”: “2020-03-21T07:04:48Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/LD6r_Q”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/mdtPuA”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/czmHQA”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
}
]
}
Storing nonce: 00023BwXConnqh3lEaL3uxZdk2twRd35lt9DdQ_AGM1IiV8
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/43664656:
{
“protected”: “eyJub25jZSI6ICIwMDAyM0J3WENvbm5xaDNsRWFMM3V4WmRrMnR3UmQzNWx0OURkUV9BR00xSWlWOCIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80MzY2NDY1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzg3MzMyMTgiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “”,
“signature”: “cRdj43uQmSE28ZxrSf1Slxww-U86-0Gk6eQsOrRabY2jsbwlMV0SLZIaUHe_gBZaakK0A57yNW2LKS5DI4el8dBM7LllUcstCsMszLj4fr9bGkBTiy4Ye6dQoXha8ZMRUyS17OcTT0owDpuM2oHaNZ3jEExHtPj036ncF-4212k4Nur00fH5OvrTTMOOdpbng_yMEDkC9y0-gVafZs7689rgARM8uAvQeOqRC2MtDrnVIlmDDX8UDgoLx2yCH_LtK343a7Cx9hulqCqtqhtpB0r0znqTNs4IEhCIBedLO4XtXBCNr-1kPh0fWFaihB6qhTy8ZnASchUva4EbloqAwg”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/43664656 HTTP/1.1” 200 809
Received response:
HTTP 200
Server: nginx
Date: Sat, 14 Mar 2020 07:04:52 GMT
Content-Type: application/json
Content-Length: 809
Connection: keep-alive
Boulder-Requester: 8733218
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002bbwrrlQzRL038BsrDM2xYgjMARPhoPzpP2neIw1mcEE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “abr.eplus.net
},
“status”: “pending”,
“expires”: “2020-03-21T07:04:48Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/LD6r_Q”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/mdtPuA”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/czmHQA”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
}
]
}
Storing nonce: 0002bbwrrlQzRL038BsrDM2xYgjMARPhoPzpP2neIw1mcEE
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/43664656:
{
“protected”: “eyJub25jZSI6ICIwMDAyYmJ3cnJsUXpSTDAzOEJzckRNMnhZZ2pNQVJQaG9QenBQMm5lSXcxbWNFRSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80MzY2NDY1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzg3MzMyMTgiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “”,
“signature”: “iwjcVvPy-TleKuNHBBr5WMesjTWQI3t_f8eAstnOI_4SHOSVh8STbJLvKMnXdgu4_nRdEjJd5wnexswkvjfzPy0NCJVQAlJybZ8Xh2j08fhfDk-wMUP0u5U9zljB6QXVzKQaRD5Or-FlG3JGHr5RThqk11CeeT_OqLNK_tUr-ZyqKGHqbUvnJpntU29piTUEGYKQ2245WqVAH6HYpdp94xcAOzTAk201DPvSP6S9N2T7SIdACU77SRNo4V8s2Bgn1RAtmfKsTBX6N7yB5I5FBFB_2e0YHGAx_FfhrnSYTQH1qdUEeu4M8Mc9uxjtuEjyZErpZQ7N_sAFaWOAcUty8A”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/43664656 HTTP/1.1” 200 809
Received response:
HTTP 200
Server: nginx
Date: Sat, 14 Mar 2020 07:04:55 GMT
Content-Type: application/json
Content-Length: 809
Connection: keep-alive
Boulder-Requester: 8733218
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002z7R0ZJBGnqe0D6lnBfFN_HGseUyM1rPILqdfzM6LIww
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “abr.eplus.net
},
“status”: “pending”,
“expires”: “2020-03-21T07:04:48Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/LD6r_Q”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
},
{
“type”: “dns-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/mdtPuA”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
},
{
“type”: “tls-alpn-01”,
“status”: “pending”,
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/czmHQA”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”
}
]
}
Storing nonce: 0002z7R0ZJBGnqe0D6lnBfFN_HGseUyM1rPILqdfzM6LIww
JWS payload:

Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/43664656:
{
“protected”: “eyJub25jZSI6ICIwMDAyejdSMFpKQkducWUwRDZsbkJmRk5fSEdzZVV5TTFyUElMcWRmek02TEl3dyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My80MzY2NDY1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzg3MzMyMTgiLCAiYWxnIjogIlJTMjU2In0”,
“payload”: “”,
“signature”: “AfOIvEO_ztlMJbo0KB_ikqaD0Mu0m0NYy9D9Ykmq4W60t0TZLLVjpr0Z6Im0S535zka73AeZXNsW4OOSW_Si2sXXCLgxTE0aPOWZCh7JGccYJ9r87J-cpcb1ia_oP5FszT2npOVgKNbiWI14nF1nYBJvACtrQLeB4LcXDz-17rrEc-lmta2bYojgjPVo-1LpBxpGpDSy_VYfbYLz9OdknDeAvEz_qxMbiHwVWT8rAvJEIWytWtzZj-SHlKDLGVrEtBeNmP29Fp144P0h2KDR4GXz-vS30l4T-2xc005_xu5kV5iH1MM8qujlWMazQmB2JfB5QfeV7hFc2W0ugBey_A”
}
https://acme-staging-v02.api.letsencrypt.org:443 “POST /acme/authz-v3/43664656 HTTP/1.1” 200 1025
Received response:
HTTP 200
Server: nginx
Date: Sat, 14 Mar 2020 07:04:58 GMT
Content-Type: application/json
Content-Length: 1025
Connection: keep-alive
Boulder-Requester: 8733218
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel=“index”
Replay-Nonce: 0002nsi-igJ-u2fOOw-eY_NcJFW1wESHnMTGQeG2DTVZw00
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“identifier”: {
“type”: “dns”,
“value”: “abr.eplus.net
},
“status”: “invalid”,
“expires”: “2020-03-21T07:04:48Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “During secondary validation: Fetching http://abr.eplus.net/.well-known/acme-challenge/JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/43664656/LD6r_Q”,
“token”: “JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”,
“validationRecord”: [
{
“url”: “http://abr.eplus.net/.well-known/acme-challenge/JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM”,
“hostname”: “abr.eplus.net”,
“port”: “80”,
“addressesResolved”: [
“50.93.182.138”
],
“addressUsed”: “50.93.182.138”
}
]
}
]
}
Storing nonce: 0002nsi-igJ-u2fOOw-eY_NcJFW1wESHnMTGQeG2DTVZw00
Challenge failed for domain abr.eplus.net
http-01 challenge for abr.eplus.net
Reporting to user: The following errors were reported by the server:

Domain: abr.eplus.net
Type: connection
Detail: During secondary validation: Fetching http://abr.eplus.net/.well-known/acme-challenge/JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Encountered exception:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Removing /usr/share/nginx/html/.well-known/acme-challenge/JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM
All challenges cleaned up
Attempting to renew cert (abr.eplus.net) from /etc/letsencrypt/renewal/abr.eplus.net.conf produced an unexpected error: Some challenges have failed… Skipping.
Traceback was:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 448, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1176, in renew_cert
renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py”, line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 306, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/client.py”, line 344, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/client.py”, line 391, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/abr.eplus.net/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/abr.eplus.net/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py”, line 15, in main
return internal_main.main(cli_args)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1347, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1255, in renew
renewal.handle_renewal_request(config)
File “/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/_internal/renewal.py”, line 473, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: abr.eplus.net
    Type: connection
    Detail: During secondary validation: Fetching
    http://abr.eplus.net/.well-known/acme-challenge/JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):

nginx -v
nginx version: nginx/1.17.6 (nginx-plus-r20)

The operating system my web server runs on is (include version):

cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

./certbot-auto --version
certbot 1.3.0

=============================

I don’t understand why I am getting the following error:

Challenge failed for domain abr.eplus.net
http-01 challenge for abr.eplus.net
Reporting to user: The following errors were reported by the server:

Domain: abr.eplus.net
Type: connection
Detail: During secondary validation: Fetching http://abr.eplus.net/.well-known/acme-challenge/JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM: Timeout during connect (likely firewall problem)

I can see 200 when requesting validation:

66.133.109.36 - - [14/Mar/2020:03:04:49 -0400] “GET /.well-known/acme-challenge/JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” "-“rid=“39c0e004c2b934fa2a4b25cbc4f10be7” pck=“http://-/.well-known/acme-challenge/JpYqjNutM2pvVdx6mOlKbOZY23gB836xbXjKZF_nkpM"ucs=”-”
85.215.2.227 - - [14/Mar/2020:03:09:34 -0400] “GET /.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de HTTP/1.1” 404 153 “-” “Server-Daten Check your Website (https://check-your-website.server-daten.de/)” "-“rid=“d9772f4788f0152d2bfddd02be4083f9” pck=“http://-/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de"ucs=”-”
172.104.24.29 - - [14/Mar/2020:03:10:24 -0400] “GET /.well-known/acme-challenge/letsdebug-test HTTP/1.1” 404 153 “-” “Mozilla/5.0 (compatible; Let’s Debug emulating Let’s Encrypt validation server; +https://letsdebug.net)” "-“rid=“cde9c7a16553c0380c89d470fb1a5188” pck=“http://-/.well-known/acme-challenge/letsdebug-test"ucs=”-”
66.133.109.36 - - [14/Mar/2020:03:10:25 -0400] “GET /.well-known/acme-challenge/xCuqtSq4Jsxvtyypc_bOdZrFvcJEBfAvpzwi7PbMJwc HTTP/1.1” 404 153 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” "-“rid=“7b96dbd9cf09411a98e4b7766518ac53” pck=“http://-/.well-known/acme-challenge/xCuqtSq4Jsxvtyypc_bOdZrFvcJEBfAvpzwi7PbMJwc"ucs=”-”

I can also see the server is up and valid:

https://letsdebug.net/abr.eplus.net/112434

=============================

cat renewal/abr.eplus.net.conf

renew_before_expiry = 30 days

version = 0.29.1
archive_dir = /etc/letsencrypt/archive/abr.eplus.net
cert = /etc/letsencrypt/live/abr.eplus.net/cert.pem
privkey = /etc/letsencrypt/live/abr.eplus.net/privkey.pem
chain = /etc/letsencrypt/live/abr.eplus.net/chain.pem
fullchain = /etc/letsencrypt/live/abr.eplus.net/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = nginx
account = e1e57b550cc02e1ac7385817fd1a4c1c
server = https://acme-v02.api.letsencrypt.org/directory
webroot_path = /usr/share/nginx/html,
[[webroot_map]]
abr.eplus.net = /usr/share/nginx/html

1 Like

I think it’s related to more strict policy

can only see hits from one IP address, should see 3 other request

1 Like

You’re right.

Are you blocking AWS? I can’t access http://abr.eplus.net/ from an AWS region where one of Let’s Encrypt’s validation servers is.

1 Like

It’s more related to AWS direct connect and with asyn routing across the box.

I have submitted an exception:

Will have this fixed after we move over to Azure express route which will happen with 20days

When will I know if this site will be added to exception?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.