Timeout during connect (likely firewall problem)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.limeira.sp.leg.br

I ran this command: sudo certbot --apache

It produced this output: ertbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.limeira.sp.leg.br
Type: connection
Detail: 177.69.86.229: Fetching http://www.limeira.sp.leg.br/.well-known/acme-challenge/P7Ou25QU-j1vZ_mkuX8xZcJR6nm_o4VAcAlPhXrUNC4: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu Server 20.4

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

My http server is behind a NAT, the NAT server redirects ports 80 and 443 to http server

administrador@vm-http:~$ sudo certbot --apache -v
[sudo] password for administrador:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: limeira.sp.leg.br
2: concursoredacao.limeira.sp.leg.br
3: escolalegislativa.limeira.sp.leg.br
4: esic.limeira.sp.leg.br
5: gerenciador.limeira.sp.leg.br
6: ouvidoria.limeira.sp.leg.br
7: portaldatransparencia.limeira.sp.leg.br
8: teste.limeira.sp.leg.br
9: teste2.limeira.sp.leg.br
10: www.limeira.sp.leg.br
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 10
Requesting a certificate for www.limeira.sp.leg.br
Performing the following challenges:
http-01 challenge for www.limeira.sp.leg.br
Waiting for verification...
Challenge failed for domain www.limeira.sp.leg.br
http-01 challenge for www.limeira.sp.leg.br

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: www.limeira.sp.leg.br
  Type:   connection
  Detail: 177.69.86.229: Fetching http://www.limeira.sp.leg.br/.well-known/acme-challenge/5hW9DzzPwHXWfs9pAYz5MmgvC9uVoZaxLxpqCF0wYXk: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Hello @andretoledo, welcome to the Let's Encrypt community. :slightly_smiling_face:

There is something between the Internet and www.limeira.sp.leg.br; likely a router / firewall, possibly even more than one.

:~$ nmap -Pn -p80,443 www.limeira.sp.leg.br
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-01 17:27 UTC
Nmap scan report for www.limeira.sp.leg.br (177.69.86.229)
Host is up.
rDNS record for 177.69.86.229: 177-069-086-229.static.ctbctelecom.com.br

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 4.90 seconds
3 Likes

I can connect to your domain with HTTP using a server in Brazil. But, I cannot connect from a US based server.

Let's Encrypt uses various points around the world to authenticate your domain.

You might have some kind of geographic limits in a firewall or even your ISP.

5 Likes

Once the firewall/timeout problem is overcome, you might want to change "10" to "1 10".

[if they both serve the exact same content]

3 Likes

Thank you very much, there really was a rule in our firewall that geo-blocked it.

4 Likes