Timeout During Connect

CloudBagel · November 18, 2020, 3:19am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: naspibagel.page

I ran this command: sudo certbot --apache
Then of course I chose my domain

It produced this output:
Domain: naspibagel.page
Type: connection
Detail: Fetching
http://naspibagel.page/.well-known/acme-challenge/6fUwpMM9Wsi8MWGCQZVokdDj088GiMDm_NmZ_WKXZO0:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version): Apache2.4.38

The operating system my web server runs on is (include version): Raspbian

My hosting provider, if applicable, is: Google Domains

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

I think I'm getting a timeout error because of port 80. I can't seem to get it to forward correctly. I have verified with my ISP and my router manufacturer that they are not blocking port 80. I have configured port forwarding on 80 through my router as they suggested. I am having no problems forwarding port 443 and it is configured the same way 80 is. I've also allowed 80 and 443 on ufw and have a static ip.

sudo ufw status
Status: active

To Action From

22 ALLOW 192.168.0.28
80 ALLOW Anywhere
443 ALLOW Anywhere
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)

_az · November 18, 2020, 6:21am

Nonetheless, there are multiple confirmations from different sources that Suddenlink does block port 80 on residential connections: "suddenlink" "port 80" at DuckDuckGo.

It does seem like the most likely cause.

CloudBagel · November 20, 2020, 4:10am

Well it seems as though I can't get an open port 80 without giving Suddenlink money so it must be bypassed.

I've decided to try a DNS-01 challenge but even attempting that gives me errors saying I need to check that a DNS record exists for my domain. I have an A record so I'm not sure what the issue is.

I issue this command,

sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d *.naspibagel.page -d naspibagel.page

and get this response

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for naspibagel.page
dns-01 challenge for naspibagel.page

NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.

Are you OK with your IP being logged?

(Y)es/(N)o: y
Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.naspibagel.page CNAME 9164f06f-48f3-4c51-98eb-156484df9bd1.auth.acme-dns.io.

Waiting for verification...

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue
Cleaning up challenges
Failed authorization procedure. naspibagel.page (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.naspibagel.page - check that a DNS record exists for this domain, naspibagel.page (dns-01): urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.naspibagel.page - check that a DNS record exists for this domain

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: naspibagel.page
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.naspibagel.page - check that a DNS record exists
for this domain

Domain: naspibagel.page
Type: None
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.naspibagel.page - check that a DNS record exists
for this domain

_az · November 20, 2020, 4:20am

Did you create this CNAME record in your Google DNS interface?

Try the process again, and create the record that is shown, before continuing further.

CloudBagel · November 29, 2020, 3:35am

_az, thank you for your suggestion. I was able to successfully get my cert. For those with my same issue, and if you happen to be using Google Domains, it took me a couple tries but this is exactly what I did.

I went to the DNS settings page on Google Domains and down at the bottom and put that CNAME record into it that certbot explicitly said. Don't put the entire domain that it says. It says "_acme-challenge.naspibagel.page" but just put "_acme-challenge" in the "@" spot. I can't remember if I had the period after "challenge" or not. Then I scrolled down to CNAME on the "type" spot. I left the "1h" on "1h" and I put that long "9164 blah blah blah acme-dns.io" in the last spot.

HOWEVER, since obtaining my cert, I'm no longer able to access my domain from outside my own network. I get a timeout every time.

_az · November 29, 2020, 4:20am

Are you sure it's since getting your certificate? I wasn't able to access your domain in my original response (before you had a certificate).

It seems like you have port 443 misconfigured at the moment, it's responding with HTTP, but it should be HTTPS.

This could be for one of two reasons:

You have port forwarded 443 externally to port 80 internally, or
You have misconfigured Apache

(1) needs to be identified and fixed in your modem/router's port forwarding.

for (2), you need to make sure that your port 443 Apache virtualhost is configured appropriately, e.g.:

<VirtualHost *:443>
ServerName naspibagel.page

SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/naspibagel.page/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/naspibagel.page/privkey.pem

# ... and the rest
</VirtualHost>

CloudBagel · November 29, 2020, 4:35am

I had a feeling it was an Apache issue, I've been rooting around there looking for clues but I have no earthly idea whats going on in there. I copied your suggested configuration and restarted Apache, and I get the same issue. This is my apache conf

VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#

    ServerAdmin 50@hotmail.com
    ServerName naspibagel.page

    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/naspibagel.page/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/naspibagel.page/privkey.pem
    DocumentRoot /var/www/



    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

/VirtualHost>

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

My port forwarding is 443 all the way through externally to internally. Im pretty sure that is configured correctly. Thank you for taking the time to help me with this.

_az · November 29, 2020, 4:47am

Well, https://naspibagel.page works for me now, where it wasn't working before.

So you did fix that problem.

Regarding being unable to access the non-HTTPS version (http://naspibagel.page), that would be explained by your ISP blocking port 80. That's not something you can fix without getting the port unblocked.

Rip · November 29, 2020, 4:54am

I'm getting 403 from Yachats Oregon...
Screenshot_2020-11-28_20-52-09
2020-11-28T08:00:00Z
No timeout.

_az · November 29, 2020, 5:00am

Yes, for me in a browser as well. That may come down to the fact that the domain is on the HSTS preload list, so the browser connects directly to port 443.

I've been testing with curl which does exhibit the timeout.

@CloudBagel are you still getting timeouts for HTTPS in the browser?

CloudBagel · November 29, 2020, 5:03am

I'm getting the same result as Rip. It's the same no matter which device or network I use.

Rip · November 29, 2020, 5:04am

OK I'll check and report back

Rip · November 29, 2020, 5:08am

HTTP/1.1 403 Forbidden
Date: Sun, 29 Nov 2020 05:06:46 GMT
Server: Apache/2.4.38 (Raspbian)
Content-Type: text/html; charset=iso-8859-1```

_az · November 29, 2020, 5:09am

Oh, then everything is working. That's not timing out.

You can check in /var/log/apache2/error.log if you want to see why Apache is producing that 403 error. Are your website files in /var/www/?

But your certificate and HTTPS are working fine.

Is that curl -i http://naspibagel.page ? Or HTTPS?

Rip · November 29, 2020, 5:16am

HTTP/1.1 403 Forbidden
Date: Sun, 29 Nov 2020 05:15:40 GMT
Server: Apache/2.4.38 (Raspbian)
Content-Length: 283
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.38 (Raspbian) Server at naspibagel.page Port 443</address>
</body></html>

```curl -i https://naspibagel.page```

Rip · November 29, 2020, 5:48am

80/tcp filtered http
443/tcp open https

CloudBagel · November 29, 2020, 12:22pm

The error log states that search permissions are missing on a component of the path. It says it about 30 times so I'm going to assume that is the issue. I believe my files are /var/www and I thought I had given myself permissions for it as well.

system · December 29, 2020, 12:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Timeout during connect (likely firewall problem) Help	6	354	May 2, 2024
Timeout during connect (likely firewall problem) Help	28	1043	April 23, 2023
Timeout during connect (likely firewall problem) Help	45	15171	October 12, 2021
Timeout during connect Help	12	319	March 22, 2024
Timeout during connect (likely firewall problem) Help	7	375	March 13, 2024

Timeout During Connect

vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Related topics