Timeout during connect (likely firewall problem)


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
[redacted]
I ran this command:
certbot renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/[redacted].conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [redacted]
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ([redacted]) from /etc/letsencrypt/renewal/[redacted].conf produced an unexpected error: Failed authorization procedure. [redacted] (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://[redacted]/.well-known/acme-challenge/rv3491PbwHWwAraSQv1SXHJcWmPM-BEsvWzR2QQD7zA: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/[redacted]/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/[redacted]/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: [redacted]
    Type: connection
    Detail: Fetching
    http://[redacted]/.well-known/acme-challenge/rv3491PbwHWwAraSQv1SXHJcWmPM-BEsvWzR2QQD7zA:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
Apache version 2.4.18
The operating system my web server runs on is (include version):
Ubuntu Linux 16.04
My hosting provider, if applicable, is:
Amazon ec2
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes I can
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
webmin
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.28.0


#2

Hi @ahmedvolks,

It looks like you do have a firewall blocking connections on port 80, which is preventing the validation from succeeding. Could this be in your Amazon EC2 policies? They often have defaults that block quite a lot of ports.

You might also want to use Webmin’s built-in Let’s Encrypt support instead of Certbot (although that won’t fix the firewall problem, which would affect Webmin just as much as Certbot).


#3

Hi Schoen,
Thank you for your reply, Actually I opened the 80 and already opened the 443 as below,

Inbound:

Type Protocol Port Range Source Description
SMTP TCP 25 0.0.0.0/0
HTTP TCP 80 0.0.0.0/0
POP3 TCP 110 0.0.0.0/0
IMAP TCP 143 0.0.0.0/0
HTTPS TCP 443 0.0.0.0/0
SMTPS TCP 465 0.0.0.0/0
IMAPS TCP 993 0.0.0.0/0
POP3S TCP 995 0.0.0.0/0

Outbound

Type Protocol Port Range Source Description
All traffic All All 0.0.0.0/0

I also tried webmin now and the log tail is shown below:

2019-01-29 04:45:22,417:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: [redacted]
Type: connection
Detail: Fetching http://[redacted]/.well-known/acme-challenge/SCytUPel0iSDnLTJz3GLFxZOaKZOC0l3hAD1Z_wHZ0M: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
[continuation of log redacted]


#4

It still looks filtered by a firewall to me from here. You should check for both host and network firewalls (like both ufw and policy groups), because either can interfere with connections.


#5

I added port 80 as below and it worked.but the port 80 was not used before, is this true?

ufw allow 80

To Action From


80 ALLOW Anywhere


#6

Any way to hide the details related to my domain please??


#7

There is a change related to limiting the use of port 443 in validations which was announced in January of last year and formally scheduled in October of last year.

In order to prepare for this change, Certbot’s default behavior was changed in releases starting last month:

It’s something of an oversimplification to say “port 80 was not used before”, but it’s true that there’s been a recent change which has meant that Certbot users who were validating over port 443 have been switched to validating over port 80. We’ve been trying to accelerate this process because in the near future the Let’s Encrypt certificate authority will disable TLS-SNI-01 validations entirely, as described in several of the posts I linked to.


#8

I edited your posts in this thread to remove the references to your domain.


#9

Thank you very much for this :slight_smile:


closed #10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.