Timeout during connect (likely firewall problem)

Help
1

My domain is:
espace.preparatoire-kerangal.fr

I ran this command:
certbot certonly --apache --preferred-challenges http -d espace.preparatoire-kerangal.fr

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for espace.preparatoire-kerangal.fr
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. espace.preparatoire-kerangal.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://espace.preparatoire-kerangal.fr/.well-known/acme-challenge/JR5sVe-cj8M_R4F-gCM6MjTqOsOxF9PX8j-LsqBshWo: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: espace.preparatoire-kerangal.fr
   Type:   connection
   Detail: Fetching
   http://espace.preparatoire-kerangal.fr/.well-known/acme-challenge/JR5sVe-cj8M_R4F-gCM6MjTqOsOxF9PX8j-LsqBshWo:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is: Apache 2.4.46

The operating system my web server runs on is:
SMP Debian 4.9.272-2 (2021-07-19) x86_64 GNU/Linux

My hosting provider, if applicable, is: IBO

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: no

The version of my client is: certbot 0.28.0

2

It should be noticed that the DNS record is correct, and the port seems to be open (I checked manually).

The problem occurs even running certbot in staging mode. In this case, tcpdump show some successful requests on the challenge. webserver5.pcap

3

Hi @yoch and welcome to the LE community forum :slight_smile:

I first thought HTTP was blocked and began to write that as I noticed that it eventually did connect.
Perhaps the connections are just taking too long to establish?
Is there an IPS or such in line?
Is the CPU very busy?

4

I noticed it too. Port 80 and 443 are open "officially" but letsdebug.net says there is a problem somewhere. possibly a timeout.
Other online and "personal" scanners confirm. But when I dig for records there's only one A record... nothing else. (Is that weird?) No SOA... etc.

5

SOA records are typically only shown on the apex.
And both authoritative servers return the same:
serial = 2022011101

6

I just saw letsdebug fail too but at same time I can reach it almost instantly from an EC2 instance on US East Coast. I reached it instantly earlier today. That's when I gave them a 'like' for stumping me (not like that's overly hard ...).

7

Hi,

Thanks for the responses.

@rg305
In fact, there is an IPS in place (I don't know which one, it's used by my service provider) but I asked them yesterday to shutdown the IPS and test again, but the problem still occurs.

The CPU doesn't seem too busy, and I already emit some certificates without trouble in the past.

8

I don't know what happen, but the problem is solved now. Who knows, I suppose my provider has fixed something.