Timeout during connect (likely firewall problem)

My domain is: circuitdigest.com

I ran this command: /opt/letsencrypt/letsencrypt-auto renew --dry-run

It produced this output: No output, just going blank

The operating system my web server runs on is (include version): Using CentOS 6/Apache-2.2.15 /Linode_VPS/single domain running on VPS and manually edited the vhost file.

Using below command in Crontab to auto renew certificates: /opt/letsencrypt/letsencrypt-auto certonly --renew-by-default --webroot -w /var/www/html/example.com/ -d example.com -d www.example.com

It was all working perfectly but last attempt was failed, logging below lines in /var/log/letsencrypt/letsencrypt-auto-update.log file:

Domain: circuitdigest.com
Type: connection
Detail: Fetching
https://circuitdigest.com/.well-known/acme-challenge/_0zU_G15fcmPzK9PjEICA5jQBn71dcfS3rIcH5QSMOE:
Timeout during connect (likely firewall problem)

Hi @jayant

you have ipv4- and ipv6 addresses ( https://check-your-website.server-daten.de/?q=circuitdigest.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
circuitdigest.com A 45.79.103.90 yes 1 0
AAAA 2600:3c01::f03c:91ff:fea8:473 yes
www.circuitdigest.com A 45.79.103.90 yes 1 0
AAAA 2600:3c01::f03c:91ff:fea8:473 yes

But your ipv6 doesn't work, only timeouts:

Domainname Http-Status redirect Sec. G
http://circuitdigest.com/
45.79.103.90 301 https://circuitdigest.com/ 0.340 A
http://www.circuitdigest.com/
45.79.103.90 301 https://circuitdigest.com/ 0.340 E
http://circuitdigest.com/
2600:3c01::f03c:91ff:fea8:473 -14 10.030 T
Timeout - The operation has timed out
http://www.circuitdigest.com/
2600:3c01::f03c:91ff:fea8:473 -14 10.023 T
Timeout - The operation has timed out
https://www.circuitdigest.com/
45.79.103.90 301 https://circuitdigest.com/ 1.576 B
https://circuitdigest.com/
45.79.103.90 200 2.194 I
https://circuitdigest.com/
2600:3c01::f03c:91ff:fea8:473 -14 21.016 T
Timeout - The operation has timed out
https://www.circuitdigest.com/
2600:3c01::f03c:91ff:fea8:473 -14 10.027 T
Timeout - The operation has timed out
http://circuitdigest.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
45.79.103.90 301 https://circuitdigest.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.343 A
Visible Content: Moved Permanently The document has moved here . Apache/2.2.15 (CentOS) Server at circuitdigest.com Port 80
http://www.circuitdigest.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
45.79.103.90 301 https://circuitdigest.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.343 E
Visible Content: Moved Permanently The document has moved here . Apache/2.2.15 (CentOS) Server at www.circuitdigest.com Port 80
http://circuitdigest.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2600:3c01::f03c:91ff:fea8:473 -14 10.027 T
Timeout - The operation has timed out
Visible Content:
http://www.circuitdigest.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2600:3c01::f03c:91ff:fea8:473 -14 10.024 T
Timeout - The operation has timed out
Visible Content:
https://circuitdigest.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.026 T
Timeout - The operation has timed out
Visible Content:

Letsencrypt prefers ipv6, so this is critical.

Is ipv6 configured? Perhaps

<VirtualHost  *:80 [::]:80 ...

may be enough. Looks "only" like a timout (not configured), not a blocking firewall.

1 Like

But it was working fine previously, why now its using IPV6?
Also tried changing the vhost for supporting ipv6 but still not resolved.
Is there any way to update the certificates with ipv4 only?

Perhaps you have used tls-sni-01 validation, that's deprecated, support is stopped.

Remove your ipv6 (temporarily), then create a new certificate, then try to fix your ipv6.

You can test your configuration with the ipv6 address - and without having a dns entry. Use the ip and your domain name as additional hostname.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.