Timeout during connect (likely firewall problem)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
test.vpps.link
I ran this command:
sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --apache -d test.vpps.link

It produced this output:

Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for test.vpps.link
Waiting for verification...
Challenge failed for domain test.vpps.link
http-01 challenge for test.vpps.link
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04
My hosting provider, if applicable, is:
self hosting
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Previously have been successful in creating certificates using the manual DNS verification.

Am able to access the verification folder from the outside i.e.
http://test.vpps.link/.well-known/acme-challenge/

Continue to get the timeout error when attempting http challenge. Help appreciated as spent hours on this and got locked out one time by too many cert attempts.

Virtual hosts file contents
< VirtualHost *:80>
ServerName test.vpps.link
ServerAlias test.vpps.link

    DocumentRoot /var/www/html/test.vpps.link
2 Likes

I can reach that hostname too.

Let's Encrypts validations are send through CDNs, I believe AWS? Are you perhaps blocking some IP address ranges, which might include some CDNs, such as AWS? Or perhaps have a firewall with regional blocking set up?

3 Likes

I can confirm that I am able to connect to http://test.vpps.link/.well-known/acme-challenge/test via my own browser yet when I try to connect via https://www.redirect-checker.org/ I get a timeout.

2 Likes

But test.vpps.link down? Current problems and status. and Test.vpps.link - Is Test Down Right Now? say it's up.

So it seems it's a partial block, maybe regional or in some other way selective.

3 Likes

I concur. I'm pretty sure that redirect-checker is US-based though, like myself, so there seems to be a very picky filter indeed.

2 Likes

Can you try to contact your ISP and see if there are a regional firewall in place?

2 Likes

Or other firewall rules blocking specific ranges of IP address or something like that.

3 Likes

Or aliens...

:alien: :flying_saucer:

2 Likes

Thanks for all your tips that are consistently pointing to a block. The alien got me this time. Iā€™m sure it is my router firewall as I have a custom group to block hackers hitting the mail server on the same machine. As I see entries in the postfix log I then enter that IP address if not valid addresses.

Since it is an IP block and not domain name, please advise of the IP range/s that may be used with AWS.

Thanks again, will let you know once I get certbot back in action.

3 Likes

Let's Encrypt doesn't publish any such list. See various threads about this topic:

https://community.letsencrypt.org/search?q=%22validation%20ip%20addresses%22

3 Likes

The answer is in the error message (likely firewall problem). Found the culprit in the router IP address black list. Problem solved. Thank you all for your comments.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.