Timeout during connect (likely firewall problem)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: adobe.f3322.net

I ran this command: certbot certonly --webroot -w d:\web -m {myemail} -d adobe.f3322.net

It produced this output:

My web server is (include version): IIS 8

The operating system my web server runs on is (include version): Windows Server 2012 R2 DC

My hosting provider, if applicable, is: VM on UCloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.1

I tried both standalone and webroot mode but none of them worked.
I didn't install or enable any firewall on my VM, including the OS and IIS.
I assigned read permission to everyone to ensure it was not a permission problem.
I could use my computer at home to access my website and the ./well-known folder with no issue, but when I tried to get the certifications by certbot, it kept telling me Timeout during connect (likely firewall problem) though I could see the traffic log in the IIS(HTTP status code 200)
I installed wireshark to capture the traffic data. My VM did received the HTTP GET request from the validation server and IIS responed to the server properly, but I was still told Timeout during connect (likely firewall problem), which was very weird.
What could be the real reason? I am stucked... :sob: :sob: :sob:

"During Secondary Validation" means the initial validation has succeeded.
And your system is likely doing some sort of Geo-Location blocking to those secondary servers.

4 Likes

So...is there any possible solution? :woozy_face:

Do you have an inline device that is doing Geo-Location blocking?
Or something similar?

See:

3 Likes

You should see at least 3 requests, from different locations. It's part of how Let's Encrypt ensures that you actually own the name as seen by everywhere on the Internet. You must have some sort of firewall blocking requests from some networks.

4 Likes

I could only see 1 request, and maybe that was the reason why I received the error message.
I think you're probably right, but the firewall may be out of my control. My Windows Firewall was and is disabled and many of my friends said that they had no issue accessing my website, so it is probably the firewall from the ISP that causes the problem...

My VM don't have any access control rule set by the host provider, but I am not sure whether there is a device doing that kind of things in the ISP network. I have not tried using 443 port to do the verification. I'll try this way later :smiley:

Well, for what it's worth, I can't get to that site from my home Internet connection in Massachusetts, nor can I from an AWS server in their us-east-1 region.

3 Likes

There are 3 Challenge Types - Let's Encrypt

  1. HTTP-01
  2. DNS-01
  3. TLS-ALPN-01

The above link discusses the Pros and Cons of each type and what is required for each type.

2 Likes

And using this online tool https://check-host.net/ it doesn't seem anywhere in the world and get to that site either. Results here Check report was removed: Check host - online website monitoring

And nmap from my home on Comcast Xfinity in the Portland Metro Area of Oregon

$ nmap -Pn adobe.f3322.net
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-20 00:20 UTC
Nmap scan report for adobe.f3322.net (113.31.152.52)
Host is up (0.0083s latency).
All 1000 scanned ports on adobe.f3322.net (113.31.152.52) are filtered

Nmap done: 1 IP address (1 host up) scanned in 26.06 seconds
1 Like

TLS-APLN-01 ["port 443 verification"] is not as simple as it sounds.
Have a look at the link @Bruce5051 posted about the challenge types before you go down a dead-end road.

AND

If port 443 is also being blocked [haven't checked], then the only choice left is DNS-01.

3 Likes

I tried the online tool and unfortunately none of the servers listed in the tool could reach my VM...

While I could still access my website from my home in China

Too bad. I also tried zerossl for verification and it failed too. :sob:
But the interesting thing is that my home broadband can be reached from ALL the servers in the tool.

I don't know why my VM's commercial broadband performs worse than my cheaper home broadband... :thinking: :thinking: :thinking:

After all, thank all of you for helping me figure out the problem!!! (Maybe I will going to buy a different domain and try to get a ssl cert from the domain provider)

2 Likes

Have you tried obtaining the cert using DNS-01 authentication?

3 Likes

My domain is a DDNS domain. I can only adjust the IP address it points to. Other kinds of DNS resolution methods such as MX record are not allowed. :sweat: :sweat:

Have you tried looking for a DDNS provider that allows TXT record updated via API?

Do you have any other domain name you can use?

3 Likes

Great Firewall of China?

1 Like

PROBABLY.

Fortunately, I changed to another VM that was using a different IP range, and it just WORKED!!!
And before that, I fetched myself a new DDNS domain, and I finally got a domain with a HTTPS secure lock icon!


Thank you all again! :grin: :grin: :grin:

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.