Timeout during connect (likely firewall problem)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: farm.adventblocks.cc

I ran this command: certbot certonly --apache

It produced this output: Fetching http://farm.adventblocks.cc/.well-known/acme-challenge/ldSOlHLJqGekm9QkowIRT_BGPYyj9ttXbpiafBIdeuc: Timeout during connect (likely firewall problem)

My web server is (include version):
Apache/2.4.52

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: space-hosting.net

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2


Same problem with another subdomain (including the main adventblocks.cc) The site is accessible from the internet and passes all tests.

When I turn on the cloudflare proxy everything works fine, the certificate is created, but for some reason I can't use it (proxy) all the time.

I completely disabled ufw and allowed all traffic in iptables - it doesn't change anything

When I use cloudflare proxying, 6-7 requests come to the web server from letsencrypt verification servers, without it - ~3

Sometimes (according to letsdebug tests) I get the message "Everything is OK" (I don't remember exactly).

Same with standalone server.

Welcome to the community @Genife

Hmm. Right now Let's Debug reports a timeout failure (see link)

Note in the detailed info of that the initial test reached your domain (and I can also reach from my own test server), but, the test using the Let's Encrypt staging system failed.

This is most often because the IP addresses used by the LE Servers are being blocked by a firewall.

Your DNS points to an IP address related to Azure DNS. Is that your hosting?

What was the IP address in the error message from Certbot?

5 Likes
  • My hosting is space-hosting in baltneta data center in Lithuania. We assume with support that this may be a block from their IDS, but then we need more technical information about verification servers
    IP address in the error message from Certbot: 91.244.197.115

Using this online tool letsdebug-toolkit the results here, click to see.
Shows that
Duplicate Certificates adventblocks.cc 5 of 5 weekly certificates.

The next time this certificate can be issued is 23 Dec 2022 08:55:55 UTC.

Please: testing and debugging are best done using the Staging Environment as the Rate Limits are much higher. Rate Limits are per week (rolling).

1 Like

Supplemental information:

$ curl -I http://farm.adventblocks.cc/.well-known/acme-challenge/py_NbrqO_sIIPx6Mm_uAs3tKzMOpAcBQrn3JRQk0F9k
HTTP/1.1 302 Found
Date: Wed, 21 Dec 2022 16:33:25 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: https://farm.adventblocks.cc/.well-known/acme-challenge/py_NbrqO_sIIPx6Mm_uAs3tKzMOpAcBQrn3JRQk0F9k
Content-Type: text/html; charset=iso-8859-1

$ curl -I https://farm.adventblocks.cc/.well-known/acme-challenge/py_NbrqO_sIIPx6Mm_uAs3tKzMOpAcBQrn3JRQk0F9k
HTTP/1.1 404 Not Found
Date: Wed, 21 Dec 2022 16:33:38 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
1 Like

Let's Encrypt does not publish the list of IP addresses they use. They often change even as frequently as every hour. The recommendation is to keep port 80 open. See these topics

And, for the IP addresses see the link in the FAQ about multiple locations

3 Likes

My web server always has port 80 open. It always redirects to 443 (except files.adventblocks.cc). Should this interfere with the creation of the certificate?

But something is blocking the Let's Encrypt servers (and maybe others). As I noted in post #2

4 Likes

More supplemental information, this is what I present see from the Portland Metro Area of Oregon using Comcast Xfinity IPv4 only.

The Let's Debug results https://letsdebug.net/farm.adventblocks.cc/1308461?debug=y

$ nmap -Pn farm.adventblocks.cc
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-21 17:16 UTC
Nmap scan report for farm.adventblocks.cc (91.244.197.115)
Host is up (0.19s latency).
Not shown: 733 closed ports, 264 filtered ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 227.24 seconds

$ curl -I http://farm.adventblocks.cc/.well-known/acme-challenge/BoVIuoVicufjD4tJ3O3QMHYKyV5wX2M5aNm105aSjYI
curl: (28) Failed to connect to farm.adventblocks.cc port 80 after 129305 ms: Connection timed out

$ curl -I https://farm.adventblocks.cc/.well-known/acme-challenge/BoVIuoVicufjD4tJ3O3QMHYKyV5wX2M5aNm105aSjYI
curl: (28) Failed to connect to farm.adventblocks.cc port 443 after 129337 ms: Connection timed out
$ nmap -Pn farm.adventblocks.cc
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-21 17:26 UTC
Nmap scan report for farm.adventblocks.cc (91.244.197.115)
Host is up (0.19s latency).
Not shown: 998 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
3306/tcp closed mysql

Nmap done: 1 IP address (1 host up) scanned in 21.70 seconds
1 Like

Sorry, I was setting up the firewall at this point (when you did the test). Check now please

No problem.

~$ nmap -Pn farm.adventblocks.cc
Starting Nmap 7.80 ( https://nmap.org ) at 2022-12-21 17:52 UTC
Nmap scan report for farm.adventblocks.cc (91.244.197.115)
Host is up (0.19s latency).
Not shown: 992 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
25/tcp   filtered smtp
80/tcp   open     http
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
443/tcp  open     https
445/tcp  filtered microsoft-ds
5959/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 6.47 seconds

$ curl -I http://farm.adventblocks.cc/.well-known/acme-challenge/L-JHa2yvZqKebgDPERylf38Igqm3eep0muViAmwvkEM
HTTP/1.1 302 Found
Date: Wed, 21 Dec 2022 17:54:56 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: https://farm.adventblocks.cc/.well-known/acme-challenge/L-JHa2yvZqKebgDPERylf38Igqm3eep0muViAmwvkEM
Content-Type: text/html; charset=iso-8859-1

$ curl -I https://farm.adventblocks.cc/.well-known/acme-challenge/L-JHa2yvZqKebgDPERylf38Igqm3eep0muViAmwvkEM
HTTP/1.1 404 Not Found
Date: Wed, 21 Dec 2022 17:55:05 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

And the what I presently got with Let's Debug https://letsdebug.net/farm.adventblocks.cc/1308490?debug=y

1 Like

However you have reached the Rate Limits
Please use the Staging Environment until you get things working and the Rate Limits have expired.
https://tools.letsdebug.net/cert-search?m=domain&q=farm.adventblocks.cc&d=168

1 Like

We agreed that the problem is probably with the hosting and I should try to solve it with them?

I previously used windows server 2022 and there was exactly the same problem, we moved to ubuntu 1 week ago, but as u know, nothing has changed.

I do not think that when ALL ports are open (ufw & iptables) and there are no blockings from the vps, then the problem may be in the vps. Can you agree with me?

I will also ask for a new vps test on the same subnet for a few hours to test (maybe there will be the same problem)

However having Exceed the Rate Limits means that Let's Debug will show issues and Let's Encrypt Challenges will not succeed.

Rate Limit Current Status Domain
50 Certificates per Registered Domain per week OK (10 / 50 this week.) adventblocks.cc
5 Duplicate Certificates per week Limit exceeded. Next issuable at 23 Dec 2022 08:55:55 UTC adventblocks.cc
Summary generated at letsdebug-toolkit .
1 Like

Okay. After ~ two days, should I continue investigating using just the Staging Environment and letsdebug?

If the error messages continue like this one:

Then you need to ensure you are not part of the problem [your firewall, etc.] and then escalate this with your ISP.

Someone is blocking.

3 Likes

Thank you so much))) @Bruce5051, @rg305, @MikeMcQ

3 Likes

U can edit my messages???

Yes
image

2 Likes

Niiicee haha

3 Likes