Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: adobe.f3322.net
I ran this command: certbot certonly --webroot -w d:\web -m {myemail} -d adobe.f3322.net
The operating system my web server runs on is (include version): Windows Server 2012 R2 DC
My hosting provider, if applicable, is: VM on UCloud
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.1
I tried both standalone and webroot mode but none of them worked.
I didn't install or enable any firewall on my VM, including the OS and IIS.
I assigned read permission to everyone to ensure it was not a permission problem.
I could use my computer at home to access my website and the ./well-known folder with no issue, but when I tried to get the certifications by certbot, it kept telling me Timeout during connect (likely firewall problem) though I could see the traffic log in the IIS(HTTP status code 200)
I installed wireshark to capture the traffic data. My VM did received the HTTP GET request from the validation server and IIS responed to the server properly, but I was still told Timeout during connect (likely firewall problem), which was very weird.
What could be the real reason? I am stucked...
"During Secondary Validation" means the initial validation has succeeded.
And your system is likely doing some sort of Geo-Location blocking to those secondary servers.
You should see at least 3 requests, from different locations. It's part of how Let's Encrypt ensures that you actually own the name as seen by everywhere on the Internet. You must have some sort of firewall blocking requests from some networks.
I could only see 1 request, and maybe that was the reason why I received the error message.
I think you're probably right, but the firewall may be out of my control. My Windows Firewall was and is disabled and many of my friends said that they had no issue accessing my website, so it is probably the firewall from the ISP that causes the problem...
My VM don't have any access control rule set by the host provider, but I am not sure whether there is a device doing that kind of things in the ISP network. I have not tried using 443 port to do the verification. I'll try this way later
Well, for what it's worth, I can't get to that site from my home Internet connection in Massachusetts, nor can I from an AWS server in their us-east-1 region.
And nmap from my home on Comcast Xfinity in the Portland Metro Area of Oregon
$ nmap -Pn adobe.f3322.net
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-20 00:20 UTC
Nmap scan report for adobe.f3322.net (113.31.152.52)
Host is up (0.0083s latency).
All 1000 scanned ports on adobe.f3322.net (113.31.152.52) are filtered
Nmap done: 1 IP address (1 host up) scanned in 26.06 seconds
TLS-APLN-01 ["port 443 verification"] is not as simple as it sounds.
Have a look at the link @Bruce5051 posted about the challenge types before you go down a dead-end road.
AND
If port 443 is also being blocked [haven't checked], then the only choice left is DNS-01.
Too bad. I also tried zerossl for verification and it failed too.
But the interesting thing is that my home broadband can be reached from ALL the servers in the tool.
I don't know why my VM's commercial broadband performs worse than my cheaper home broadband...
After all, thank all of you for helping me figure out the problem!!! (Maybe I will going to buy a different domain and try to get a ssl cert from the domain provider)
Fortunately, I changed to another VM that was using a different IP range, and it just WORKED!!!
And before that, I fetched myself a new DDNS domain, and I finally got a domain with a HTTPS secure lock icon!