Timeout during connect (likely firewall problem)

droid001 · April 5, 2021, 8:45pm

I ran this command:
certbot certonly -d pacolola.net --webroot --webroot-path /var/www/pacolola

It produced this output:
Failed authorization procedure. pacolola.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://pacolola.net/.well-known/acme-challenge/A6N4Hm23Lwd1QwRw9DCqpFuiZ0dGb5qc3xf7cYAEi7s: Timeout during connect (likely firewall problem)

My web server is (include version):
Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version):
Armbian 21.02.3 Buster with Linux 5.10.21-imx6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.31.0

What I have done so far is to

Uncomment all rows in the site config found in etc/apache2/sites-available/pacolola.conf which relates to redirection to https (restart server afterwards)
Made sure it's possible to access https://pacolola.net/.well-known/acme-challenge/test
Checking the access settings on my home router which is set to medium, blocking NETBIOS and DNS
Attempted to disable the server firewall temporarily ufw disabled while renewing the certificate. Firewall is back on again.
Checked the status over at https://check-your-website.server-daten.de/?q=pacolola.net which yes, says that the connection over port 80 gives the error status -14, but I don't know what further actions I can take now.

I have a nextcloud instance running on a subdomain if that is of any interest.

stevenzhu · April 5, 2021, 8:50pm

Hi,

It seems like you have assigned IP address to this host, but the port for 80 is not open... It's actually not at all necessary for you to close port 80 (as it's a normal communication port). Can you try to allow port 80 access now and see if the host respond?

P.S. sorry I'm on mobile, so my tools are limited.

griffin · April 5, 2021, 8:56pm

Welcome to the Let's Encrypt Community

I concur with @stevenzhu.

droid001 · April 5, 2021, 9:05pm

I had port 80 open according to /etc/apache2/ports.conf : Listen 80
And can't see anything blocking the port on the router. I'll have to look in other places where port 80 could be blocked.
sudo lsof -n -sTCP:LISTEN -i:80 returns:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
apache2 1726 root 4u IPv6 1602318 0t0 TCP *:http (LISTEN)
apache2 2044 www-data 4u IPv6 1602318 0t0 TCP *:http (LISTEN)
apache2 2045 www-data 4u IPv6 1602318 0t0 TCP *:http (LISTEN)

stevenzhu · April 5, 2021, 9:21pm

Thank you for the response.
If i parsed the message correctly, you actually only listened on IPv6... (Type IPv6)
Can you double check on your apache configuration?
AND, your IPv4 port 80 is still filtered
Snipaste_2021-04-05_17-22-17
P.S. If you are worrying about degrade attack, you can setup a blanket redirection that sent all incoming traffic through 301 redirection to https

droid001 · April 5, 2021, 10:06pm

Port 80 should be open as per ufw status:
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
873/tcp                    ALLOW       Anywhere                  
WWW Secure                 ALLOW       Anywhere                  
WWW Full                   ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
873/tcp (v6)               ALLOW       Anywhere (v6)             
WWW Secure (v6)            ALLOW       Anywhere (v6)             
WWW Full (v6)              ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)

stevenzhu · April 5, 2021, 10:13pm

I retested the port, and it's still closed.
If you are using residential internet or something, can you also check with your ISP to see if they block port 80 by default?

Thank you

JuergenAuer · April 6, 2021, 10:57am

Hi @droid001

checking that result your port 443 / https works. So the firewall / router configuration of port 443 is ok -> check, if port 80 has the same settings.

May be your Apache configuration doesn't work, so it doesn't answer via ipv4.

What says

apachectl -S

droid001 · April 6, 2021, 3:39pm

Thanks for taking interest @JuergenAuer .
The firewall/router config is the same for port 80 as it is for 443.
I checked out what was coming out from apachectl -S and noticed that port :80 was serving the subdomain nextcloud.pacolola.net and not the main one. I changed virtual host file nextcloud.pacolola.net.conf to be more specific about what was served from port 80, <VirtualHost nextcloud.pacolola.net:80>.

After that I'm get the following:

VirtualHost configuration:
188.151.218.129:80     nextcloud.pacolola.net (/etc/apache2/sites-enabled/nextcloud.pacolola.net.conf:1)
*:4443                 127.0.0.1 (/etc/apache2/sites-enabled/ncp.conf:2)
*:80                   pacolola.net (/etc/apache2/sites-enabled/pacolola.conf:1)
*:443                  is a NameVirtualHost
         default server nextcloud.pacolola.net (/etc/apache2/sites-enabled/nextcloud.pacolola.net-le-ssl.conf:2)
         port 443 namevhost nextcloud.pacolola.net (/etc/apache2/sites-enabled/nextcloud.pacolola.net-le-ssl.conf:2)
                 alias www.nextcloud.pacolola.net
         port 443 namevhost nextcloud.pacolola.net (/etc/apache2/sites-enabled/nextcloud.pacolola.net.conf:10)
         port 443 namevhost pacolola.net (/etc/apache2/sites-enabled/pacolola-le-ssl.conf:2)
                 alias www.pacolola.net
         port 443 namevhost 127.0.0.1 (/etc/apache2/sites-enabled/pacolola.conf:15)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

droid001 · April 19, 2021, 9:50pm

I finally got a certificate running with the following command: certbot -d pacolola.net --manual --preferred-challenges dns certonly.
I have a Dynamic DNS set on my router as the ISP doesn't provide a a static one and am using NO-IP as the name registrar and DNS provider. Tried using acme-dns-certbot but it wasn't picking up the TXT record set for _acme-challenge.pacolola.net. Luckily certbot did.

system · May 19, 2021, 9:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.