Timeout during connect (likely firewall problem)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://swiftle.org/

I ran this command: .\certbot.exe certonly --standalone -d swiftle.org

It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: swiftle.org
Type: connection
Detail: 90.224.206.14: Fetching http://swiftle.org/.well-known/acme-challenge/jMc8jl33xK8b81_qPNFRsTAl9oTzU0K-0QqDo-SZPYs: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

My web server is (include version): I am using my own computer as server.

The operating system my web server runs on is (include version): Windows 10

My hosting provider, if applicable, is: I am hosting on my own computer

I can login to a root shell on my machine (yes or no, or I don't know): Since the server is on my own computer I have access to the server.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No. I just run a js file with Node to start a server that listens to a port. This port is forwarded to port 80.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.24.0

When doing the request with Certbot I turn off my server (ctrl + C in the cmd that I started my server.js with node)
I have gone into the windows defender firewall and added custom rules that enable traffic in and out from ports 80 and 443. I also allowed edge traversal for incoming traffic. Why would I get this error?

One thing I realized was that the port that my server listens to is only forwarded to port 80 and not 443. I fixed this and got another error:
An unexpected error occurred:
acme.errors.ClientError: <Response [503]>

Is this error better? When reading the logs no further information is given, just ERROR:certbot._internal.log:acme.errors.ClientError: <Response [503]>

Hello @Olof, welcome to the Let's Encrypt community.

Certbot is no longer supporting Windows, please see:

Also the option

increase the difficulty of debugging I find. That being said Ports 80 & 443 are filtered.
Best Practice - Keep Port 80 Open

$ nmap -Pn -p80,443 swiftle.org
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-10 23:08 UTC
Nmap scan report for swiftle.org (90.224.206.14)
Host is up.
rDNS record for 90.224.206.14: 90-224-206-14-no2104.tbcn.telia.com

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.54 seconds

Thus I believe the issue is

Also @Olof here is an online Port Checker - Check Open Ports Online that maybe of some assistance for you. And this Permanent link to this check report is a view from around the world of http://swiftle.org.

Thank you. You say that the ports are filtered, is this easy to change? Or should I just don't bother and use another certificate manager?

That would be likely your router and/or firewall.

For that, kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.

If I start my NodeJs project on my server and forward both port 443 and 80 to the port my server is listening on, I then see that both ports are open Using the port checker you gave me. (Port Checker - Check Open Ports Online)
Does this mean that they arent filtered?

Then no they are not filtered, thus an artifact of using (from my point of view and perspective).

The thing is. If I would turn off the NodeJs project then the ports are Timed-Out. And if I would run the command .\certbot.exe certonly --standalone -d [swiftle.org](http://swiftle.org/
When the server is up and running I get this error
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: swiftle.org
Type: unauthorized
Detail: 90.224.206.14: Invalid response from http://swiftle.org/.well-known/acme-challenge/-62GFYQFYyERxZkU-usVDWhMZJ5oQy4fIjbgl55a8A8: 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Could the solution be to just run the command without --standalone while running the NodeJs project on my server?

Your machine only has one port 80 per IP address for any sort of http listener to use. If you have a node application (or any other port 80 listener) running on port 80 then that will block certbot from using it in standalone mode. You also need to ensure TCP port 80 traffic is allowed to reach your listening process all the way from the public internet, through any firewalls and routers, to your server and past any security apps you have. It's often easier/safer just to host on a cloud VM.

Cerbot isn't supported on windows anymore so you might want to to try something else, but that's not the cause of this issue. If you use something like Caddy as a reverse proxy for your app it can handle the certificate/tls stuff automatically and that's sometimes easier.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.