Timeout during connect (likely firewall problem)

Help
1

Hi All,

My domain is: abnetworksolutions.ca

I ran this command: acme-client -v mail.abnetworksolutions.ca

It produced this output:

[snip..]
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/397928243526
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/397928243536
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/405735867426
acme-client: 104.157.107.22: Fetching http://abnetworksolutions.ca/.well-known/acme-challenge/zeByDEQaq8bdBIoxrvnTNxYx6Y_zhRPcDdNalgFRTgU: Timeout during connect (likely firewall problem)
acme-client: bad exit: netproc(25486): 1

My web server is (include version):

Openbsd 7.4 HTTPD

The cool part here guys, is that tcpdump doesn't show any connection attempt from that Telus ASN 6327 IP. I don't see any attempt from any IP when it fails. Of course, I've tried disabling all blocks in pf, but if tcpdump doesn't see the HTTP attempt - I can't be blocking it.

It was working for a few years, and there is maybe an issue on your end having a block to my IP.

Thoughts?
Ian.

2

Hi @ian2024, and welcome to the LE community forum :slight_smile:

That is usually the problem.
Which firewall are you using?
Does it have a rule to allow HTTP?
Ensure that the Internet can reach your server via HTTP.

2 Likes
3

That's because it's the destination of the ACME server validation attempts :wink: Not "from".

Also, your host at 104.157.107.22 seems to be down entirely: no ping replies, no open ports when scanned with NMap, nothing.

I see your www subdomain has 184.69.216.82 as A RR. Did you perhaps forget to change the apex domain to a new IP address?

4 Likes
4

Hey guys,

Huh.. well that's interesting..

Thanks for pointing out that's the destination address, not lets-encrypt source!

www.abnetworksolutions.ca
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: www.abnetworksolutions.ca
Address: 184.69.216.82

abnetworksolutions.ca
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: abnetworksolutions.ca
Address: 104.157.107.22

That's not a DNS issue I'd expect.

Let me get into that a fix it.. wow.

Thanks!
Ian

4 Likes
5

For some reason, it was setup as a DYN address.. and had some random Telus IP.

I switched it to fixed, as it's not movin around..

and, like that, the cert is renewed!

I appreciate the help guys!
Ian.

3 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.