Timeout during connect (likely firewall problem)

webstersama · July 10, 2018, 5:12am

I ran this command:
/etc/init.d/CommuniGate stop
letsencrypt certonly --renew -d mail.domain.ru

It produced this output:

Failed authorization procedure. mail.domain.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: mail.domain.ru
Type: connection
Detail: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version): as web server we are using CommuniGate pro where 443 port is listening

The operating system my web server runs on is: Ubuntu server 16.04.3 LTS

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

P.S.

i’am already used this commands for successfully obtaining certificate
443 port is open for output and input connections
i’am don’t using any firewall at this server

UPDATE

if CGP server was running, i’am got next error:
MMPrlXNfFSz8GIQ48Zby.jpg887×409 66.7 KB

And if CGP server not running, i’am got error like in 3 question in this topic.

rg305 · July 10, 2018, 5:23am

Which FQDN is it?
mail.domain.com? or mail.domain.ru?
Do you really control either of those names?

webstersama · July 10, 2018, 5:24am

My mistake. I’am updated topic.

rg305 · July 10, 2018, 5:27am

Please show:
more /etc/letsencrypt/renewal/*.conf

webstersama · July 10, 2018, 5:30am

[renewalparams]
no_self_upgrade = False
no_verify_ssl = False
ifaces = None
register_unsafely_without_email = False
uir = None
installer = none
config_dir = /etc/letsencrypt
text_mode = False
staging = False
dry_run = False
work_dir = /var/lib/letsencrypt
tos = False
init = False
http01_port = 80
duplicate = False
noninteractive_mode = False
key_path = None
nginx = False
fullchain_path = /mail/CommuniGate/chain.pem
email = None
csr = None
agree_dev_preview = None
redirect = None
verbose_count = -3
config_file = None
renew_by_default = True
hsts = False
authenticator = standalone
domains = mail.domain.ru,
rsa_key_size = 2048
verb = certonly
checkpoints = 1
manual_test_mode = False
apache = False
cert_path = /mail/CommuniGate/cert.pem
webroot_path = ,
reinstall = False
expand = False
strict_permissions = False
account = 12b72076d61fca9a2dc403dbe21d6f7d
prepare = False
manual_public_ip_logging_ok = False
chain_path = /mail/CommuniGate/chain.pem
break_my_certs = False
standalone = False
manual = False
server = https://acme-v01.api.letsencrypt.org/directory
standalone_supported_challenges = “tls-sni-01,http-01”
webroot = False
os_packages_only = False
func = <function obtain_cert at 0x7f7d09b22c80>
user_agent = None
debug = False
tls_sni_01_port = 443

rg305 · July 10, 2018, 5:31am

Try reversing the order to:
standalone_supported_challenges = “http-01,tls-sni-01”

and show the public IP used:
dig +short myip.opendns.com @resolver1.opendns.com
or
curl -4 ipinfo.io/ip

webstersama · July 10, 2018, 5:38am

Okay,
reversing the order to “http-01,tls-sni-01” not helped me.

curl ipinfo.io/ip
141.101.230.21

rg305 · July 10, 2018, 5:39am

That IP doesn't match the IP for mail.domain.ru: 193.26.18.116

webstersama · July 10, 2018, 5:40am

Oh sorry, if you need my real DN, it’s mail.yamalzdrav.ru

mail.domain.ru i used for example

rg305 · July 10, 2018, 5:42am

please show:
letsencrypt certificates && letsencrypt --version

webstersama · July 10, 2018, 5:43am

letsencrypt certificates && letsencrypt --version
usage:
letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] …

The Let’s Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka “auth”)
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
letsencrypt: error: unrecognized arguments: certificates

rg305 · July 10, 2018, 5:44am

Please show file:
/var/log/letsencrypt/letsencrypt.log

If it is too big:

delete it.
re-run letsencrypt.
show new (smaller) file.

And you can put back the order:
standalone_supported_challenges = “tls-sni-01,http-01”

webstersama · July 10, 2018, 5:58am

Ok, i am done this instructions and got successful result.
Thank you for help.

rg305 · July 10, 2018, 6:00am

Glad to hear that

system · August 9, 2018, 6:00am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.