Timeout during connect (likely firewall problem)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
https://server3.thu.media:7081/
I ran this command:
sudo certbot certonly

It produced this output:


How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): server3.thu.media
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for server3.thu.media
Input the webroot for server3.thu.media: (Enter 'c' to cancel): /usr/local/lsws/Example/html
Waiting for verification...
Challenge failed for domain server3.thu.media
http-01 challenge for server3.thu.media
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: server3.thu.media
   Type:   connection
   Detail: Fetching
   http://server3.thu.media/.well-known/acme-challenge/rsvPsf1TF2SOWHTk0puJU7PVp_cwSclkUBt_w129mBM:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):
OpenLiteSpeed 1.7.7
The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
https://server3.thu.media:7080/
user:admin
password:123456
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

I guess the problem is that i start the web service in port 7081,so if you get server3.thu.media ,you can`t open it.
So i wonder how i can get the cert.

Hi @jialianchen

you have to add a port 80 with a running webserver. Or (if your port 80 isn't used) use `--standalone'.

See

Thanks for your help!
I use sudo certbot certonly --standalone
but i get the same output

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): server3.thu.media
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for server3.thu.media
Waiting for verification...
Challenge failed for domain server3.thu.media
http-01 challenge for server3.thu.media
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: server3.thu.media
   Type:   connection
   Detail: Fetching
   http://server3.thu.media/.well-known/acme-challenge/Lwkm2fsWnNzJ4VhbYFZobqzPNOSj0sVBLSUlBtxPzII:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I check the port 80
lsof -i:80
and it output nothing.
and i don't use the ufw,
sudo ufw status
Status: inactive
could give me some advice?

As written: Create a webserver port 80, then it's possible to check if that webserver answers.

Then use that webserver to validate your domain.

For example, does this machine have its own dedicated IP address? Is there some reason that the ISP or host would block incoming connections on port 80?

Alternatively, if it's behind a home router with NAT, is the public port 80 forwarded to this device?

I know the problem....
My school ban the port 80...
so i wonder how i can get the cert without port 80.

Here are the three options from Let's Encrypt:

The most likely one is a DNS TXT record. This is hard to automate, though, unless you also have an API that lets you make DNS changes from software.

Or build your own API with acme-dns :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.