Timeout during connect (likely firewall problem)

kghbln · July 13, 2022, 11:00am

My domain is: wikihoster.de

I ran this command: certbot renew

It produced this output:

The following errors were reported by the server:

Domain: da.wikihoster.de
Type: connection
Detail: 217.197.83.171: Fetching
Deaf Atlas
Timeout during connect (likely firewall problem)

Domain: sw.wikihoster.de
Type: connection
Detail: 217.197.83.171: Fetching
WikiHoster.net – Prototyp für Stadtwikis
Timeout during connect (likely firewall problem)

Domain: phalaris.wikihoster.de
Type: connection
Detail: 217.197.83.171: Fetching
217.197.83.171 - 2001:67c:1400:2180::1
Timeout during connect (likely firewall problem)

My web server is (include version): Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version): Debian GNU/Linux 10 (buster)

My hosting provider, if applicable, is: IN-Berlin (privately maintained though)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Did not touch this server in a while thus wondering that the issue could be.

MikeMcQ · July 13, 2022, 12:59pm

It looks like connections to your domains using IPv6 are not working. When you have an AAAA record in your DNS the Let's Encrypt server will use that IPv6 address for http challenge requests. Your DNS looks like:

nslookup  da.wikihoster.de
A    Address: 217.197.83.171
AAAA Address: 2001:67c:1400:2180::1

Your error message is not what I would expect for this error. But, perhaps that is because your version is fairly old. Using the Let's Debug test site shows a clearer message (as would a more recent version of certbot)

You need to correct your IPv6 comms or remove the AAAA record if it is not correct.

kghbln · July 13, 2022, 1:31pm

Thanks a lot for your insight!

Hmm, it appears that the IP address which was active during the past 7 years has gone belly up two or three days ago. I will check with IN-Berlin to see what is going on. I will come back with the outcome.

PS I was not aware of my version of certbot being that old. I just use what the OS ships. Anyhow, it was good to learn that there is a tool allowing to check.

kghbln · July 19, 2022, 7:50pm

It turns out that the default gateway for IPv6 was missing in the "interfaces" file at (/etc/network/). After fixing the entry in the file it works again.

What still remains a complete mystery is that the error was introduced to the file in September 2021 during some maintenance work and the resulting issue only started to appear in July 2022.

rg305 · July 19, 2022, 7:51pm

hmm...
That's long enough to make a baby!
[or grow a really nice beard]

system · August 18, 2022, 7:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.