Timeout during connect (likely firewall problem)

Help
1

My domain is: imi.solutions

I ran this command: sudo /opt/letsencrypt/certbot-auto renew

It produced this output:

Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/robotime.imi.solutions.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for robotime.imi.solutions
Waiting for verification...
Challenge failed for domain robotime.imi.solutions
http-01 challenge for robotime.imi.solutions
Cleaning up challenges
Attempting to renew cert (robotime.imi.solutions) from /etc/letsencrypt/renewal/ robotime.imi.solutions.conf produced an unexpected error: Some challenges have f ailed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/robotime.imi.solutions/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/robotime.imi.solutions/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: robotime.imi.solutions
    Type: connection
    Detail: 220.233.144.254: Fetching
    http://robotime.imi.solutions/.well-known/acme-challenge/SZ-oqd2uz7Xn4Rwo7adZ UIL_9hYqSUKRToWgQFqWaxQ:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): NGINX

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

1 Like
2

We migrated the VM from different Hosting provider so Public IP is now changed and that is when we started getting this error.

1 Like
3

and yet

Why?

3 Likes
4

Port 80 is filtered (blocked) by something. Port 443 is open and working although uses an expired cert. Probably why you are trying to renew it :slight_smile:

In any case, you need to review your HTTP (port 80) network config with your new host.

Use https://letsdebug.net to test any changes to your comms

PS: Oh, and adding on to 9peppe's comment about certbot-auto is this notice from Dec 2020 (but this does not explain your blocked port 80)

3 Likes
5

The Firewall is ports are open for 80 and 443 for this VM

I don't see an issue form the firewall side?

Could there be an issue on the VM side? if so where should i look on the VM?

1 Like
6

Oh, hang on. I just realized you have an nginx server but were trying to use the --standalone authenticator which needs exclusive use of port 80. You should instead make sure nginx can listen on port 80 and use --webroot method instead of --standalone. You could also use --nginx but you already have an HTTPS server block configured so webroot probably better.

But, you still need port 80 to be able to connect to your nginx server for the HTTP Challenge to succeed.

Are you able to connect using http://robotime.imi.solutions from outside your local network? Like using a mobile phone with wifi disabled to use your carrier network?

3 Likes
7

Im not able to access the site using HTTP, ive just checked it?

Is there anything that i can make changes to the config to make it work

8

HTTPS requests (port 443) to your domain work although are using an expired cert.

You need to see why your system handles port 80 differently.

Try using http from your local network to make sure your nginx/express setup handles port 80. Try curl http://(local-ip) and use the IP on your local network. If that works then something is blocking or not routing port 80 requests to that server.

Since port 443 (HTTPS) is working (apart from the expired cert) you could use the DNS Challenge to get a cert. But, you really should figure out why port 80 is failing to allow the HTTP Challenge to work and to properly redirect visitors from HTTP to HTTPS.

2 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.