Timeout during connect (likely firewall problem)

seekman · March 23, 2021, 8:08am

Hello, I run sudo certbot renew and I get:

   Domain: tantramassagewarsaw.com
   Type:   connection
   Detail: Fetching
   http://tantramassagewarsaw.com/.well-known/acme-challenge/0JPv8i_1XO6y32rpQrbH4EnAg0LwteuRUSqL_feIR2s:
   Timeout during connect (likely firewall problem)

   Domain: www.tantramassagewarsaw.com
   Type:   connection
   Detail: Fetching
   http://www.tantramassagewarsaw.com/.well-known/acme-challenge/CnKEWlZQMUfI_Il-kQ29D-WExWSq-E4TMFLaU2Gufnw:
   Timeout during connect (likely firewall problem)

The certs renewal have been working fine, but now this error appeared.

ufw status
Inactive

No other firewall installed.

Nginx vhost is:

server {
        listen 80;
        server_name tantramassagewarsaw.com www.tantramassagewarsaw.com;
        root /var/www/masaztantrycznywarszawa.pl/masaztantrycznywarszawa.pl;
        return 301 https://tantramassagewarsaw.com$request_uri;
}

server {
        listen 443 ssl;
        server_name tantramassagewarsaw.com;

        root /var/www/masaztantrycznywarszawa.pl/masaztantrycznywarszawa.pl;

        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_certificate "/etc/letsencrypt/live/tantramassagewarsaw.com/fullchain.pem";
        ssl_certificate_key "/etc/letsencrypt/live/tantramassagewarsaw.com/privkey.pem";
        ssl_protocols TLSv1.2;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
        return 301 https://www.tantramassagewarsaw.com$request_uri;
}

server {
        listen 443 ssl;
        server_name www.tantramassagewarsaw.com;

        index index.php;

        ssl_dhparam /etc/nginx/dhparam.pem;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_certificate "/etc/letsencrypt/live/tantramassagewarsaw.com/fullchain.pem";
        ssl_certificate_key "/etc/letsencrypt/live/tantramassagewarsaw.com/privkey.pem";
        ssl_protocols TLSv1.2;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
        add_header Strict-Transport-Security "max-age=31536000;";

        root /var/www/masaztantrycznywarszawa.pl/masaztantrycznywarszawa.pl;

        charset utf-8;


        location ~ \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_pass unix:/run/php/php-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SERVER_NAME $host;
                include fastcgi_params;
        }

        location ~* \.(jpg|jpeg|png|gif|ico|css|js|woff|woff2)$ {
                expires 365d;
        }
}

==============

Other certificates in the same machine seemt o have well updated yesterday night automatically. Many of them have: (VALID: 79 days). But this one only doesn't seem to want to be renewed.

Any idea what else I can check?

JuergenAuer · March 23, 2021, 8:15am

Hi @seekman

your configuration looks buggy, see https://check-your-website.server-daten.de/?q=tantramassagewarsaw.com

Host	Type	IP-Address	is auth.	∑ Queries	∑ Timeout
tantramassagewarsaw.com	A	54.37.137.250 Wrocław/Lower Silesia/Poland (PL) - OVH SAS Hostname: vps-81c304cb.vps.ovh.net	yes	1	0
	A	80.211.183.70 Arezzo/Tuscany/Italy (IT) - Aruba S.p.A. No Hostname found	yes	1	0
	AAAA		yes
www.tantramassagewarsaw.com	A	54.37.137.250 Wrocław/Lower Silesia/Poland (PL) - OVH SAS Hostname: vps-81c304cb.vps.ovh.net	yes	1	0
	A	80.211.183.70 Arezzo/Tuscany/Italy (IT) - Aruba S.p.A. No Hostname found	yes	1	0
	AAAA		yes

You have two different ipv4, different places.

The 54.* works, the 80.* has only timeouts, see the #url-checks part.

Looks like the 80.* is old / expired, remove that.

seekman · March 23, 2021, 8:18am

Thank you. It looks like I forgot to delete the old record.
I'll wait for dns update and retry,

griffin · March 23, 2021, 8:23am

You might try using letsdebug.net as a quick way to test. If you need more comprehensive analysis, you can use @JuergenAuer's own check-your-website.server-daten.de (which he has already run for you in this case).

Update: Unfortunately, letsdebug.net appears to currently be stuck on the active incident involving the Testflume CT Logs.

https://letsencrypt.status.io/

seekman · March 24, 2021, 7:39am

thank you all. It worked fine after fixing the dns records

system · April 23, 2021, 7:40am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Timeout during connect Help	7	409	March 15, 2024
Timeout during connect (likely firewall problem) Help	9	1540	October 30, 2019
Timeout during connect (likely firewall problem) Help	17	15136	February 6, 2019
Timeout during connect while creating new SSL certificates for new sites Help	17	3265	October 21, 2022
Getting new timeout errors during renewal as of a month ago (setup previously was working) Help	20	1608	December 2, 2021

Timeout during connect (likely firewall problem)

Related topics