Timeout during connect while creating new SSL certificates for new sites

Currently I am able to access my site without SSL (i.e. on port 80) from internet.

I am trying to install SSL Certificate using "sudo certbot --nginx" on my Web server, it gives me below error :
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: [my site name] Type: connection
Detail: [public ip ]: Fetching http:[my site name]/.well-known/acme-challenge/otj7M6qkkXMDPVDL-y5385XYnvZs07Yo Rsln1Qw3214U: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority fatled to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
Cleaning up challenges
Some challenges have failed.

It's going to be very challenging to get help here without revealing the domain name. Basically, the message says what it means, that from Let's Encrypt's validation servers, trying to get to your site doesn't connect, which usually means a firewall is blocking it. While you may think your site is accessible on port 80 from the entire Internet, that doesn't look to actually be true, at least from where Let's Encrypt is sitting. It may be that the firewall blocking it is from your Internet provider, or even further upstream of them, but somewhere before your servers, at least from some places, the connection is blocked.

3 Likes

Hi @pankajjpatil, and welcome to the LE community forum :slight_smile:

You must have a working HTTP site before it can be secured using HTTP-01 authentication.

2 Likes

domain name = http://devscm.chitrapurmath.net
My site is accessible from internet.
Let me check with my Datacenter person for any Firewall related issue.
Is there anything I need to check ?

I have working HTTP site.

Not working from where I'm sitting:

curl -Ii http://devscm.chitrapurmath.net/
curl: (56) Recv failure: Connection reset by peer
2 Likes

It's working for me from my system.

$ curl -Ii [Site name]
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Wed, 21 Sep 2022 04:50:38 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 104240
Connection: keep-alive
Vary: Accept-Encoding
X-Page-Name: contact
X-From-Cache: True
Link: </assets/frappe/js/lib/jquery/jquery.min.js>; rel=preload; as=script,</assets/js/frappe-web.min.js?ver=1659548713.0>; rel=preload; as=script,</assets/js/bootstrap-4-web.min.js>; rel=preload; as=script,</website_script.js?ver=1659548713.0>; rel=preload; as=script,</assets/js/erpnext-web.min.js?ver=1659548713.0>; rel=preload; as=script,</assets/css/frappe-web-b4.css?ver=1659548713.0>; rel=preload; as=style,</assets/css/erpnext-web.css?ver=1659548713.0>; rel=preload; as=style
Set-Cookie: sid=Guest; Expires=Sat, 24-Sep-2022 10:20:37 GMT; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: system_user=no; Path=/; SameSite=Lax
Set-Cookie: full_name=Guest; Path=/; SameSite=Lax
Set-Cookie: user_id=Guest; Path=/; SameSite=Lax
Set-Cookie: user_image=; Path=/; SameSite=Lax
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: same-origin, strict-origin-when-cross-origin

From the Internet, or from itself?

2 Likes

From Internet as well as from Server itself.

Well, it fails from the U.S.

Is there any Geo-Location/Fencing device inline or software running that would block some IPs?

3 Likes

Will check with my Datacenter person & update here.
Thank you.

1 Like

letsencrypt error.txt (47.2 KB)

Attached Log file from > /var/log/letsencrypt/letsencrypt.log

Please someone help to resolve the issue.

There's not really anything we can do to help you. Your site needs to be accessible on port 80 from everywhere on the Internet in order to get a certificate (using the usually-easiest HTTP-01 method), and it isn't.

If your DNS server is publicly accessible, you might want to look into the DNS-01 method, but that involves either having a DNS provider with an API or using something like acme-dns that acts as a DNS server to handle automating the challenge.

4 Likes

You are correct. Firewall is blocking it the incoming request from https://acme-v02.api.letsencrypt.org/directory. After some changes by Network team. I was able to install new SSL Certificates on Sites.

1 Like

Firewall is blocking it the incoming request from https://acme-v02.api.letsencrypt.org/directory. After some changes by Network team. I was able to install new SSL Certificates on Sites.

Thanks for Support.

2 Likes

Note that incoming requests for challenge validations are NOT coming from acme-v02.api.letsencrypt.org, but from all kinds of locations world wide.

4 Likes