Timeout during connect (likely firewall problem)

Hello

I’m trying to generate certificate with http-01 method. LE is able to create the file on my server but cannot read it afterward. I get a message Timeout during connect (likely firewall problem) when I check the detail of the LE order.
I tried to access to the file with a browser and I’m able to.
The ports 80 and 443 are open.

Any idea what can block LE ?

Thank you for your help

My domain is: softystock.redlog.fr

I ran this command: java -jar acme_client.jar --command verify-domains

It produced this output: org.shredzone.acme4j.exception.AcmeLazyLoadingException: Order https://acme-v02.api.letsencrypt.org/acme/order/85093951/3214589898

My web server is: Tomcat 9

The operating system my web server runs on is : Win Server 2019

My hosting provider, if applicable, is: OVH

The version of my client is acme_client

you should check the directory that Let’s Encrypt will check

I don’t believe it’s a firewall issue rather how you need to configure tomcat to serve from http://softystock.redlog.fr/.well-known/acme-challenge/

image1297×275 11.5 KB

As you can see I get a 404 error if it was a firewall issue i wouldn’t be able to connect at all

Thank you for your answer
Nevertheless when I try to access directly the file created by LE with the browser I’m able to :
http://softystock.redlog.fr/.well-known/acme-challenge/slaBLy4QJZBI8wYHEU61cfQol5hWZnsAaaUQ5G2uguQ

image1222×249 19.1 KB

I get also the error message : No order found for account ID 85093951

Hi @naznac00

your order says: It's a firewalll problem - https://acme-v02.api.letsencrypt.org/acme/authz-v3/4321169655

"Fetching http://softystock.redlog.fr/.well-known/acme-challenge/xC7ciU451DCLyQRRRxGD9AChxdQ2UuZRtTLIRLexxLo: Timeout during connect (likely firewall problem)"

So some ip addresses are blocked. That's the first problem you have to fix.

If that is fixed, you may have additional problems.

Hi

Thank you for your reply. I’m checking if there is blocked ip adresses.

What is very strange is that LE is creating the file “D9CDb-Gajw274HEye-4kulMmSyphn12v7Atl41r_fLU” but he tries to access a different one http://softystock.redlog.fr/.well-known/acme-challenge/xC7ciU451DCLyQRRRxGD9AChxdQ2UuZRtTLIRLexxLo: which doesn’t exists
When I try to access directly the correct file with my browser I have no issue
http://softystock.redlog.fr/.well-known/acme-challenge/D9CDb-Gajw274HEye-4kulMmSyphn12v7Atl41r_fLU

image1223×140 17.8 KB

I confirm that isn't a firewall issue. I shutdown it for testing and I keep getting the error.

It seems that LE is asking the wrong file. Indeed, he creates each time a new file with a new name but he keeps requesting another (perhaps an old one ?)

It might not be just that firewall. It might even be networking issues such as MTU problems, a firewall is just the most common reason for this issue.

That would result in another error, not in a timeout obviously.

Your log shared in your first post shows that timeout.

So Letsencrypt can't connect your server. That's not a temporary server restart.

I meant put the firewall OFF

Is it possible that LE is able to create the token files but not read them ?

As you can see the files are created in the well-known folder

image1920×1080 258 KB

Please: If you change your configuration. Start a new certificate order, share the new result to see, if your new configuration has fixed the old problem.

Yes. The token file is created by your ACME client. The ACME client asks Let's Encrypt what to put in the challenge directory and your ACME client puts it there (i.e., by using an outbound connection to the Let's Encrypt server). Only then, the validation servers try to access it, using an inbound connection on port 80. So as you can see, those are two different steps.

Hi everybody

I have redo step by step very carefully and now it is working great!
I don’t know what was my mistake.

Thank you all for your help. It is much clear for me know.

Have a nice day

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.