Timeout during connect (likely firewall problem)


#1

My domain is: chatus.org

I ran this command:
sudo certbot certonly --webroot -d chatus.org -d www.chatus.org --email info@chatus.org -w /var/www/domains/chatus.org/public -n --agree-tos --force-renewal --dry-run

It produced this output:
Failed authorization procedure. www.chatus.org (http-01): urn:ietf:params:acme:e rror:connection :: The server could not connect to the client to verify the doma in :: Fetching http://www.chatus.org/.well-known/acme-challenge/W5NaEmbCUIQ9xHkC j8w1-Ti-mVyVUxB_B35LNq7QMio: Timeout during connect (likely firewall problem), c hatus.org (http-01): urn:ietf:params:acme:error:connection :: The server could n ot connect to the client to verify the domain :: Fetching http://chatus.org/.wel l-known/acme-challenge/uGBpm5EXiElO3wsBxe4t_Sgp0cRvmeIl-9m9-BoMDd0: Timeout duri ng connect (likely firewall problem)

IMPORTANT NOTES:

My web server is nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is Ubuntu 18.04

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

Firewall rules:
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80 ALLOW IN Anywhere
[ 3] 443 ALLOW IN Anywhere
[ 4] Nginx Full ALLOW IN Anywhere
[ 5] 22/tcp (v6) ALLOW IN Anywhere (v6)
[ 6] 80 (v6) ALLOW IN Anywhere (v6)
[ 7] 443 (v6) ALLOW IN Anywhere (v6)
[ 8] Nginx Full (v6) ALLOW IN Anywhere (v6)


#2

How many times did you try? I cannot reproduce the timeout error with your domain on either Let’s Encrypt’s staging or production services.


#3

At least 10 times with different options, with root /var/www/domains/chatus.org/public, /var/www/_letsencrypt (from https://nginxconfig.io/?domain=chatus.org&path=%2Fvar%2Fwww%2Fdomains%2Fchatus.org&non_www=false)


#4

At this time my Nginx config is just

server {

server_name chatus.org;
listen 80;
root /var/www/domains/chatus.org/public;

index index.php;

server_tokens off;
client_max_body_size 40M;

location / {
try_files $uri $uri/ /index.php?_url=$uri&$args;
}

location ~ .php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}

}


#5

Weird.

It’s pretty easy to get a counter-example where it doesn’t time out, e.g. https://acme-staging-v02.api.letsencrypt.org/acme/authz/xEysGSf5W-3sDRnPpSV-svtKCBnJRBbRb4jh4c-CIbM shows your nginx server responding to requests.

The only thing I can think of is that your system stops responding to HTTP requests while Certbot is running.

Do you have any hooks setup?

sudo find /etc/letsencrypt/renewal-hooks -type f

Is this a system with ample resources? Not a Pi or something like that?

free -m
uptime

#6

Command sudo find /etc/letsencrypt/renewal-hooks -type f

Is this a system with ample resources?

Of course it is

          total        used        free      shared  buff/cache   available
 Mem:     31821        3475       25592         741        2754       27158

It is a real production server with 2 letencrypt certified domains


#7

Strange for sure.

If you run Certbot with an additional flag:

--debug-challenges -v

and you do NOT continue when prompted, does your webserver remain accessible in e.g. a browser? Can you access the listed challenge URLs while it’s still open?

I wouldn’t mind seeing the /var/log/letsencrypt/letsencrypt.org of a failed attempt, either. At the very least, being able to see the authz URLs (like the one I linked above) might reveal something.

Edit: you might need to get rid of -n (non-interactive) when using the above flags, as they conflict.


#8

Some logs:

2018-12-30 12:44:58,422:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/9Ufd1pxyqfgra0z1xPsCliLNGvw6KRFWeFSHhdToXis.
2018-12-30 12:44:58,643:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/9Ufd1pxyqfgra0z1xPsCliLNGvw6KRFWeFSHhdToXis HTTP/1.1" 200 1540
2018-12-30 12:44:58,645:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1540
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 30 Dec 2018 09:44:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 30 Dec 2018 09:44:58 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "chatus.org"
  },
  "status": "invalid",
  "expires": "2019-01-06T09:44:47Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/9Ufd1pxyqfgra0z1xPsCliLNGvw6KRFWeFSHhdToXis/215137987",
      "token": "Wd1KEyQkR1UkaqDsrH12djki3YQZ6mld1yidW69tYc0"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://chatus.org/.well-known/acme-challenge/uGBpm5EXiElO3wsBxe4t_Sgp0cRvmeIl-9m9-BoMDd0: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/9Ufd1pxyqfgra0z1xPsCliLNGvw6KRFWeFSHhdToXis/215137988",
      "token": "uGBpm5EXiElO3wsBxe4t_Sgp0cRvmeIl-9m9-BoMDd0",
      "validationRecord": [
        {
          "url": "http://chatus.org/.well-known/acme-challenge/uGBpm5EXiElO3wsBxe4t_Sgp0cRvmeIl-9m9-BoMDd0",
          "hostname": "chatus.org",
          "port": "80",
          "addressesResolved": [
            "188.246.224.71"
          ],
          "addressUsed": "188.246.224.71"
        }
      ]
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/9Ufd1pxyqfgra0z1xPsCliLNGvw6KRFWeFSHhdToXis/215137989",
      "token": "imrgQWWzMz9INeraPgSwoCktwXF9re0NfgzBTsLNy-4"
    }
  ]
}
2018-12-30 12:44:58,646:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/g7zgsbhqsDAKwq9-sHUOMVfKwtJGiUYMnUVAeyezOpE.
2018-12-30 12:44:58,867:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/g7zgsbhqsDAKwq9-sHUOMVfKwtJGiUYMnUVAeyezOpE HTTP/1.1" 200 1556
2018-12-30 12:44:58,868:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1556
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 30 Dec 2018 09:44:58 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 30 Dec 2018 09:44:58 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "www.chatus.org"
  },
  "status": "invalid",
  "expires": "2019-01-06T09:44:47Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/g7zgsbhqsDAKwq9-sHUOMVfKwtJGiUYMnUVAeyezOpE/215137990",
      "token": "gbNZ0BGZgOqhKWcHF2xD5RbI3ERzdw5xu_w_f2gdekA"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://www.chatus.org/.well-known/acme-challenge/W5NaEmbCUIQ9xHkCj8w1-Ti-mVyVUxB_B35LNq7QMio: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/g7zgsbhqsDAKwq9-sHUOMVfKwtJGiUYMnUVAeyezOpE/215137991",
      "token": "W5NaEmbCUIQ9xHkCj8w1-Ti-mVyVUxB_B35LNq7QMio",
      "validationRecord": [
        {
          "url": "http://www.chatus.org/.well-known/acme-challenge/W5NaEmbCUIQ9xHkCj8w1-Ti-mVyVUxB_B35LNq7QMio",
          "hostname": "www.chatus.org",
          "port": "80",
          "addressesResolved": [
            "188.246.224.71"
          ],
          "addressUsed": "188.246.224.71"
        }
      ]
    },
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/g7zgsbhqsDAKwq9-sHUOMVfKwtJGiUYMnUVAeyezOpE/215137992",
      "token": "H9PB5EkSEA7LsbDpbk-mTnbnWCsoO3i9JXchXYTVCdI"
    }
  ]
}
2018-12-30 12:44:58,870:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.chatus.org
Type:   connection
Detail: Fetching http://www.chatus.org/.well-known/acme-challenge/W5NaEmbCUIQ9xHkCj8w1-Ti-mVyVUxB_B35LNq7QMio: Timeout during connect (likely firewall problem)

Domain: chatus.org
Type:   connection
Detail: Fetching http://chatus.org/.well-known/acme-challenge/uGBpm5EXiElO3wsBxe4t_Sgp0cRvmeIl-9m9-BoMDd0: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2018-12-30 12:44:58,872:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.chatus.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.chatus.org/.well-known/acme-challenge/W5NaEmbCUIQ9xHkCj8w1-Ti-mVyVUxB_B35LNq7QMio: Timeout during connect (likely firewall problem), chatus.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://chatus.org/.well-known/acme-challenge/uGBpm5EXiElO3wsBxe4t_Sgp0cRvmeIl-9m9-BoMDd0: Timeout during connect (likely firewall problem)

2018-12-30 12:44:58,872:DEBUG:certbot.error_handler:Calling registered functions
2018-12-30 12:44:58,872:INFO:certbot.auth_handler:Cleaning up challenges
2018-12-30 12:44:58,872:DEBUG:certbot.plugins.webroot:Removing /var/www/domains/chatus.org/public/.well-known/acme-challenge/uGBpm5EXiElO3wsBxe4t_Sgp0cRvmeIl-9m9-BoMDd0
2018-12-30 12:44:58,873:DEBUG:certbot.plugins.webroot:Removing /var/www/domains/chatus.org/public/.well-known/acme-challenge/W5NaEmbCUIQ9xHkCj8w1-Ti-mVyVUxB_B35LNq7QMio
2018-12-30 12:44:58,874:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2018-12-30 12:44:58,874:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1254, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 120, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 334, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.chatus.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.chatus.org/.well-known/acme-challenge/W5NaEmbCUIQ9xHkCj8w1-Ti-mVyVUxB_B35LNq7QMio: Timeout during connect (likely firewall problem), chatus.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://chatus.org/.well-known/acme-challenge/uGBpm5EXiElO3wsBxe4t_Sgp0cRvmeIl-9m9-BoMDd0: Timeout during connect (likely firewall problem)

#9

Please place a test text file in that location (as follows):
mkdir /var/www/domains/chatus.org/public/.well-known
mkdir /var/www/domains/chatus.org/public/.well-known/acme-challenge
echo "test file OK" > /var/www/domains/chatus.org/public/.well-known/acme-challenge/1234

Also, I do seem to get 403 for the rest of the site - not sure if that is normal and expected.


#10

This will fail to match:

You need to include:
server_alias www.chatus.org;
or maybe it’s on one line (for NGINX)
server_name chatus.org www.chatus.org;


#11

You can check http://chatus.org/.well-known/acme-challenge/1234

Meanwhile the error still occurs.


#12
simbiot@server:/var/www/domains/robochat.io$ sudo certbot certonly --webroot -d chatus.org -d www.chatus.org -w /var/www/domains/chatus.org/public --agree-tos --force-renewal --dry-run --debug-challenges -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f53d417d860>
Prep: True
Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f53d417d860> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f53d3fcf9e8>)>), contact=(), agreement=None, status='valid', terms_of_service_agreed=None, only_return_existing=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/6282435', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), d54a3926cffd9e635d21a9b0a59fdf87, Meta(creation_dt=datetime.datetime(2018, 6, 13, 17, 27, 45, tzinfo=<UTC>), creation_host='ns3368347.ip-37-187-88.eu'))>
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 724
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 724
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 31 Dec 2018 08:42:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 31 Dec 2018 08:42:05 GMT
Connection: keep-alive

{
  "HSCTNCmVN9M": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
Obtaining a new certificate
Requesting fresh nonce
Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 204 0
Received response:
HTTP 204
Server: nginx
Replay-Nonce: Nzx1E3VIioCvKPGKfxkjajRJ-mjskHHJ816Jjy31UQw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 31 Dec 2018 08:42:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 31 Dec 2018 08:42:05 GMT
Connection: keep-alive


Storing nonce: Nzx1E3VIioCvKPGKfxkjajRJ-mjskHHJ816Jjy31UQw
JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "chatus.org"\n    },\n    {\n      "type": "dns",\n      "value": "www.chatus.org"\n    }\n  ]\n}'
Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC82MjgyNDM1IiwgIm5vbmNlIjogIk56eDFFM1ZJaW9DdktQR0tmeGtqYWpSSi1tanNrSEhKODE2Smp5MzFVUXciLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "eX-S4qf-bytkhQYNKTZvuUVQq-XTc4u3xedA7G1mFWJ50c6EgRJt4aDR7hCby2hW6k2dUOTuSvksQrF7IVglcYtPfE_Up_n50v5VyTKnalZ9i2LRsCO7LpL5UGG7GTjwxEnq-aT5iH-BQO-VXwdpK1d3ZpU1Ue3ZVBd3RjoaZBV18d3Qj6GMHy6oPbl8nRP0JHVj6ZrF4xMbrjzf0x8R5zJYPxynzjZ-MPLY2YPMOPE-9LGcL9-Ez2Lo-KTKtK4boYiLK48GxigqRxOku_Q6WhwKPVd53ipuSQFTEAfs3A_WJH1owaqz7LW3gaDIAvXqcAiSI12u5z6IkSwDKv8JLw",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImNoYXR1cy5vcmciCiAgICB9LAogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAid3d3LmNoYXR1cy5vcmciCiAgICB9CiAgXQp9"
}
https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 546
Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 546
Boulder-Requester: 6282435
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/6282435/17893875
Replay-Nonce: 1gzQRQG6d-DaKz6qdkLBTorTXaaiSFgbCT7Q7EY1OKU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 31 Dec 2018 08:42:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 31 Dec 2018 08:42:06 GMT
Connection: keep-alive

{
  "status": "pending",
  "expires": "2019-01-07T08:40:02Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "chatus.org"
    },
    {
      "type": "dns",
      "value": "www.chatus.org"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/BQKT1cQPjkXvAh9_ghMWBKlYRlcyeqI60CAdIBBqEKc",
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/4JAubsucr5VWSd59bqsq09cFP_7urGvNk72ME09dxA8"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/6282435/17893875"
}
Storing nonce: 1gzQRQG6d-DaKz6qdkLBTorTXaaiSFgbCT7Q7EY1OKU
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/BQKT1cQPjkXvAh9_ghMWBKlYRlcyeqI60CAdIBBqEKc.
https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/BQKT1cQPjkXvAh9_ghMWBKlYRlcyeqI60CAdIBBqEKc HTTP/1.1" 200 923
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 923
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 31 Dec 2018 08:42:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 31 Dec 2018 08:42:06 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "chatus.org"
  },
  "status": "pending",
  "expires": "2019-01-07T08:40:02Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/BQKT1cQPjkXvAh9_ghMWBKlYRlcyeqI60CAdIBBqEKc/215567349",
      "token": "_0-XjayK-21l4WvcTkSl9jMigiR8Up6MljQtDo5y5FY"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/BQKT1cQPjkXvAh9_ghMWBKlYRlcyeqI60CAdIBBqEKc/215567350",
      "token": "sK4XWAX2e40PVuyAYWDmL7wzMQE1GG2i5srwSblAyhs"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/BQKT1cQPjkXvAh9_ghMWBKlYRlcyeqI60CAdIBBqEKc/215567351",
      "token": "ppIvTy4bA2xq3kmIbz4T4BNRyKv-19DwT_SkvKyNUTU"
    }
  ]
}
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/4JAubsucr5VWSd59bqsq09cFP_7urGvNk72ME09dxA8.
https://acme-staging-v02.api.letsencrypt.org:443 "GET /acme/authz/4JAubsucr5VWSd59bqsq09cFP_7urGvNk72ME09dxA8 HTTP/1.1" 200 927
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 927
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 31 Dec 2018 08:42:06 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 31 Dec 2018 08:42:06 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "www.chatus.org"
  },
  "status": "pending",
  "expires": "2019-01-07T08:40:02Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/4JAubsucr5VWSd59bqsq09cFP_7urGvNk72ME09dxA8/215567352",
      "token": "jpAO4TzkuOzvVUpooy_Gun-vrkfO6yf9qDP_p8RHu6E"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/4JAubsucr5VWSd59bqsq09cFP_7urGvNk72ME09dxA8/215567353",
      "token": "cXf64r7SKaxkQ7n8l-ilyBcxgx6o-cnSc4oNKeQTYu4"
    },
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/4JAubsucr5VWSd59bqsq09cFP_7urGvNk72ME09dxA8/215567354",
      "token": "tTCmGTHWr4RxE8PDNLrd4PlaYRtc4IumgcfwjhAgoEE"
    }
  ]
}
Performing the following challenges:
http-01 challenge for chatus.org
http-01 challenge for www.chatus.org
Using the webroot path /var/www/domains/chatus.org/public for all unmatched domains.
Creating root challenges validation dir at /var/www/domains/chatus.org/public/.well-known/acme-challenge
Creating root challenges validation dir at /var/www/domains/chatus.org/public/.well-known/acme-challenge
Attempting to save validation to /var/www/domains/chatus.org/public/.well-known/acme-challenge/sK4XWAX2e40PVuyAYWDmL7wzMQE1GG2i5srwSblAyhs
Attempting to save validation to /var/www/domains/chatus.org/public/.well-known/acme-challenge/tTCmGTHWr4RxE8PDNLrd4PlaYRtc4IumgcfwjhAgoEE
Waiting for verification...

#13

:unamused:. Some further ideas to try diagnose:

  1. Are you running either nginx or Certbot in a Docker container? Your symptoms resemble those in this [unsolved] report: https://github.com/certbot/certbot/issues/5231

  2. If you first stop nginx and try to issue the certificate using standalone, does it still fail? Not that you should rely on this, but it might help tighten the search for the problem.

    sudo certbot certonly --standalone -d chatus.org -d www.chatus.org --dry-run

#14

No docker or any stuff like this.

Unfortunately it is a production server as I mentioned above so I cannot do that.
I just changed A DNS record of chatus.org and linked it to another test server.

So I will check your ideas


#15

As I thought command sudo certbot certonly --webroot -d chatus.org -d www.chatus.org -w /var/www/domains/chatus.org/public --agree-tos --force-renewal --dry-run works well, the dry run was successful.

But I still curious what’s wrong with the production server.


split this topic #16

A post was split to a new topic: Timeout during connect (likely firewall problem)


#17

Have you tried port forwarding on your network. It might be a little less secure, however, opening port 80 should fix the problem.


closed #18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.