Timeout during connect (likely firewall problem)

My domain is: mail.domain.ru

I ran this command:
/etc/init.d/CommuniGate stop
letsencrypt certonly --renew -d mail.domain.ru

It produced this output:

Failed authorization procedure. mail.domain.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout during connect (likely firewall problem)


  • The following errors were reported by the server:

    Domain: mail.domain.ru
    Type: connection
    Detail: Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): as web server we are using CommuniGate pro where 443 port is listening

The operating system my web server runs on is: Ubuntu server 16.04.3 LTS

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no


  • i’am already used this commands for successfully obtaining certificate
  • 443 port is open for output and input connections
  • i’am don’t using any firewall at this server


Which FQDN is it?
mail.domain.com? or mail.domain.ru?
Do you really control either of those names?

My mistake. I’am updated topic.

Please show:
more /etc/letsencrypt/renewal/*.conf

no_self_upgrade = False
no_verify_ssl = False
ifaces = None
register_unsafely_without_email = False
uir = None
installer = none
config_dir = /etc/letsencrypt
text_mode = False
staging = False
dry_run = False
work_dir = /var/lib/letsencrypt
tos = False
init = False
http01_port = 80
duplicate = False
noninteractive_mode = False
key_path = None
nginx = False
fullchain_path = /mail/CommuniGate/chain.pem
email = None
csr = None
agree_dev_preview = None
redirect = None
verbose_count = -3
config_file = None
renew_by_default = True
hsts = False
authenticator = standalone
domains = mail.domain.ru,
rsa_key_size = 2048
verb = certonly
checkpoints = 1
manual_test_mode = False
apache = False
cert_path = /mail/CommuniGate/cert.pem
webroot_path = ,
reinstall = False
expand = False
strict_permissions = False
account = 12b72076d61fca9a2dc403dbe21d6f7d
prepare = False
manual_public_ip_logging_ok = False
chain_path = /mail/CommuniGate/chain.pem
break_my_certs = False
standalone = False
manual = False
server = https://acme-v01.api.letsencrypt.org/directory
standalone_supported_challenges = “tls-sni-01,http-01”
webroot = False
os_packages_only = False
func = <function obtain_cert at 0x7f7d09b22c80>
user_agent = None
debug = False
tls_sni_01_port = 443

Try reversing the order to:
standalone_supported_challenges = “http-01,tls-sni-01”

and show the public IP used:
dig +short myip.opendns.com @resolver1.opendns.com
curl -4 ipinfo.io/ip

reversing the order to “http-01,tls-sni-01” not helped me.

curl ipinfo.io/ip

That IP doesn't match the IP for mail.domain.ru:

Oh sorry, if you need my real DN, it’s mail.yamalzdrav.ru

mail.domain.ru i used for example

please show:
letsencrypt certificates && letsencrypt --version

letsencrypt certificates && letsencrypt --version
letsencrypt [SUBCOMMAND] [options] [-d domain] [-d domain] …

The Let’s Encrypt agent can obtain and install HTTPS/TLS/SSL certificates. By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

(default) run Obtain & install a cert in your current webserver
certonly Obtain cert, but do not install it (aka “auth”)
install Install a previously obtained cert in a server
renew Renew previously obtained certs that are near expiry
revoke Revoke a previously obtained certificate
rollback Rollback server configuration changes made during install
config_changes Show changes made to server config during installation
plugins Display information about installed plugins
letsencrypt: error: unrecognized arguments: certificates

Please show file:

If it is too big:

  1. delete it.
  2. re-run letsencrypt.
  3. show new (smaller) file.

And you can put back the order:
standalone_supported_challenges = “tls-sni-01,http-01”

1 Like

Ok, i am done this instructions and got successful result.
Thank you for help.

Glad to hear that :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.