Timeout during connect on freebsd webproxy for new certs

Oddly enough, I am able to access my website from multiple sources outside my local network, nmap -p80,443 on the domain names also show that they are open. I just can't create new certs for any of my websites. Ran into this issue when generating new certs for cal.philiptk.com as I've done the necessary config for http in nginx.

Am I missing something obvious here? The letsdebug.net site also throws an error...

My domain is: cal.philiptk.com

I ran this command: certbot --nginx -v

It produced this output:

root@web-proxy:~ # certbot --nginx -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: philiptk.com
2: cal.philiptk.com
3: www.philiptk.com
4: thomas-pk.com
5: photos.thomas-pk.com
6: www.thomas-pk.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

You have an existing certificate that contains a portion of the domains you
requested (ref: /usr/local/etc/letsencrypt/renewal/www.thomas-pk.com.conf)

It contains these names: philiptk.com, photos.thomas-pk.com, thomas-pk.com,
www.philiptk.com, www.thomas-pk.com

You requested these names for the new certificate: philiptk.com,
cal.philiptk.com, www.philiptk.com, thomas-pk.com, photos.thomas-pk.com,
www.thomas-pk.com.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/(C)ancel: E
Renewing an existing certificate for philiptk.com and 5 more domains
Performing the following challenges:
http-01 challenge for cal.philiptk.com
http-01 challenge for philiptk.com
http-01 challenge for photos.thomas-pk.com
http-01 challenge for thomas-pk.com
http-01 challenge for www.philiptk.com
http-01 challenge for www.thomas-pk.com
Waiting for verification...
Challenge failed for domain cal.philiptk.com
Challenge failed for domain philiptk.com
Challenge failed for domain photos.thomas-pk.com
Challenge failed for domain thomas-pk.com
Challenge failed for domain www.philiptk.com
Challenge failed for domain www.thomas-pk.com
http-01 challenge for cal.philiptk.com
http-01 challenge for philiptk.com
http-01 challenge for photos.thomas-pk.com
http-01 challenge for thomas-pk.com
http-01 challenge for www.philiptk.com
http-01 challenge for www.thomas-pk.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: cal.philiptk.com
Type: connection
Detail: 158.140.144.217: Fetching http://cal.philiptk.com/.well-known/acme-challenge/QJbDpPEHecrAOa8iHpNrO09o_jBAOWOgUYRlyCeeATk: Timeout during connect (likely firewall problem)

Domain: philiptk.com
Type: connection
Detail: 158.140.144.217: Fetching http://philiptk.com/.well-known/acme-challenge/cxL_fQT64v2sR5sqQigY3spGbwDiXicDGyfkrDGpI1E: Timeout during connect (likely firewall problem)

Domain: photos.thomas-pk.com
Type: connection
Detail: 158.140.144.217: Fetching http://photos.thomas-pk.com/.well-known/acme-challenge/fEuElgNARNX-UCzzCjI7KG1WyJVCpH76y4ijQRHoEg8: Timeout during connect (likely firewall problem)

Domain: thomas-pk.com
Type: connection
Detail: 158.140.144.217: Fetching http://thomas-pk.com/.well-known/acme-challenge/lb6OzYW7l-Nkx8-bX9I9AMQs9miD0AoJgYvr-A1eco8: Timeout during connect (likely firewall problem)

Domain: www.philiptk.com
Type: connection
Detail: 158.140.144.217: Fetching http://www.philiptk.com/.well-known/acme-challenge/wLlftMn1EJYCHXulV4PJGPfH-ACDmEkVOsVhqBTatbM: Timeout during connect (likely firewall problem)

Domain: www.thomas-pk.com
Type: connection
Detail: 158.140.144.217: Fetching http://www.thomas-pk.com/.well-known/acme-challenge/fg3rivLj8l3sYeM_ofAHiNljV_YUFeEbfmgJXkwSTOU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version): nginx version: nginx/1.26.2

The operating system my web server runs on is (include version): FreeBSD 14.2

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

Certbot Client version: certbot 2.9.0

From where have you checked?

Because from my point of view (Europe) I can't connect to your IP address either. Maybe there's geoblocking going on somewhere.

Interesting, I've checked a few places around Singapore where I'm from. Perhaps I'll have to check with my ISP if there is a reason my IP is unreachable from other countries. Thank you!

Here's a site that checks connectivity from many places around the world for you:

Ok finally solved the problem. It was not an issue with my ISP, so I'm not going to delete this post because it might be useful to someone who might be running a similar configuration as I am.

I use a pfSense router for routing on my home network, and have NAT rules configured to forward traffic from ports 80 and 443 to my web-proxy....or so I thought. About a month ago my router experienced some hardware issues and so I replaced it. After doing the setup on pfSense, I had determined that ONLY accepting traffic over port 443 was marginally safer than allowing both port 80 and 443. In doing so, I obviously prevented all http traffic, and thus prevented certbot from doing its thing (the http01 tests).

I created the rule to allow traffic from port 80 and all my issues were resolved.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.