Timeout during connect (likely firewall problem)

Hello guys,
We are using the Acme Lets Encrypt Plugin for an virtualized OPNsense firewall which is hosted by keyweb.de.
Our customers domain is:
owa.dachverband-dbt.de and office.dachverband-dbt.de

I can login to a root shell on my machine (yes or no, or I don’t know):

The problem is, that configuring the plugin for the first time (about 80 days ago), everything worked ok, I needed to allow 80 TCP and 443 TCP from external so that the http challenge was able to contact the firewall and issue the first certificate onto the firewall. Now the automated renewal doesn’t seem to work, neither does the manual renewal. But I don’t think we’ve changed any firewall rules which would conflict in any wasy. We added some more, changed the “LAN to any allow” ruleset to “LAN only allow HTTP/HTTPS and DNS” and the VMs behind the firewall are able to connect to the internet.

So I SSHd into the firewall and looked at the log and found the following log info under /var/log/acme.sh.log:

[Mon Aug 12 09:31:48 CEST 2019] office.dachverband-dbt.de:Verify error:Fetching http://office.dachverband-dbt.de/.well-known/acme-challenge/A5hfiwj7_gMD2MAQ4DJsvCLWvNs6kqC04rdSAP2wOjo: Timeout during connect (likely firewall problem)

Can someone explain to me while this is not working? It looks like the connections are established successfully, but somehow it doesn’t make its way through the firewall.
I’m using the plugin version 1.23, not sure if it helps, though.

If you need any more info, please ask, I will do my best to give you the information.
Thanks in advance!

1 Like

Hi @support-it

checking your second domain you see the problem - https://check-your-website.server-daten.de/?q=office.dachverband-dbt.de

https works, http doesn't work, only timeouts.

Same checking http + /.well-known/acme-challenge/random-filename.

But it's impossible to see why it doesn't work.

  • a blocking firewall
  • a wrong port forwarding port 80 extern -> port ??? intern
  • a not running http server intern (only https)

There is an IIS 10.0. Is there a running http website?

What says

curl http://office.dachverband-dbt.de/

from a server console?

1 Like

Hi @JuergenAuer,
thanks for your reply.

On the OPNsense we also have HAProxy running with an Exchange 2016 as Backend so that the customer can access OWA without a certificate warning. Is it possible that the problem is, that nothing is listening on port 80? HAProxy only listens on 443, which is pointing to Exchange (“owa.dachverband-dbt.de:443”.
How is it possible that access via owa.dach… is working while office.dach… is not? They are pointing to the same IP address. We use office.dach… to access the OPNsense via WAN and VPN-address.

running your command from the OPNsense gives a HTML 403 forbidden error.

Also: I changed the production to stage environment to be able to issue a few certificates for testing. But now I get a different error:

“detail”: "KeyID header contained an invalid account URL: “https://acme-v01.api.letsencrypt.org/acme/reg/57530081"”,
[Tue Aug 13 09:22:48 CEST 2019] Create new order error. Le_OrderFinalize not found. {
[Tue Aug 13 09:22:48 CEST 2019] Le_OrderFinalize

Is this a problem from changing the environment or might it point to a different problem?
Thanks in advance

Yes, that's the problem.

A working port 80 is required.


Thanks for the info. Port 80 is free firewall-wise.
Now I just need to figure out, how to let something listen on port 80 :wink:

The instance that answers port 443 should be able to answer port 80 / http.

The production and staging environments have separate account databases -- to test things in the staging environment, you have to repeat the registration process in the staging environment too.

so with a combination of creating a listener on port 80 and installing the latest OPNsense firmware I managed to renew the certificate successfully. I created a “80front” public service, listening on with just the acme_redirect_rule active.
Thanks for you help, guys!

Ah, thanks for reporting back. So a firmware update is helpful.

Happy to read that it has worked :+1:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.