# Timeout during connect

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: servicedesk.firsttechfs.co.za

I ran this command: certbot certonly

It produced this output:

C:\Program Files (x86)\Certbot>certbot certonly
Saving debug log to C:\Certbot\log\letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): servicedesk.firsttechfs.co.za
Requesting a certificate for servicedesk.firsttechfs.co.za
Performing the following challenges:
http-01 challenge for servicedesk.firsttechfs.co.za
Waiting for verification...
←[31mChallenge failed for domain servicedesk.firsttechfs.co.za←[0m
http-01 challenge for servicedesk.firsttechfs.co.za
Cleaning up challenges
←[31mSome challenges have failed.←[0m
←[1m
IMPORTANT NOTES:
←[0m - The following errors were reported by the server:

Domain: servicedesk.firsttechfs.co.za
Type: connection
Detail: Fetching
http://servicedesk.firsttechfs.co.za/.well-known/acme-challenge/OViq1T10DQa7w
V1wDWkk5o3YRNtyJUt9c9Fw0FGA-dc:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version):

The operating system my web server runs on is (include version): Windows Server Standard 2012 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.14.0

2 Likes

I'm getting a time out too when connecting to your website. Are you sure it's accessible from the world wide web on IP address 165.255.249.18 and port 80?

2 Likes

Welcome to the Let's Encrypt Community

When I test servicedesk.firsttechfs.co.za with Open Port Check Tool - Test Port Forwarding on Your Router, I see port 80 closed and port 443 open. Visiting https://servicedesk.firsttechfs.co.za and inspecting the certificate indicates a self-signed (snake oil) certificate for rmm.servicedesk.co.za issued by First Technology IT is being served, so the webserver IP address is probably correct.

I concur with @Osiris's question. Please check that your firewall/router allows incoming connections on port 80 and that they're being routed correctly. You should be able to visit http://servicedesk.firsttechfs.co.za from a web browser on a device external to your network.

1 Like

Perhaps the reason why "standalone" authentication was chosen:

[which makes troubleshooting a not in use port 80 quite difficult]

2 Likes

I'm not sure what the definition of "closed" is on that Open Port Check site, as usually closed is only used when the server replies with "go away!" (i.e. "connection refused") in stead of silently dropping the packets (i.e. a time out). Usually, the term "stealth" is used for such non-replying ports in stead of "closed".

I'm not getting a "connection refused" error, which I would expect if the port was reachable, but there wasn't any service listening on it. So there probably is more to it than just not a listening standalone plugin, but more likely a firewall or missing NAT portmap or something of the likes.

3 Likes

Me thinks running certbot with --debug-challenges may be necessary so that certbot pauses with the standalone server active to help debug port 80.

2 Likes

Hi All

thanks for the responses.

i have a ANY ANY allow rule configured at the moment for testing - still the same issue.

All ports are allowed for incoming and outgoing traffic.

my webserver is configured to work on port 8081 for http and 8443 for https. all traffic is redirected to 8443 anyway.

i then have a TCP port forward rule for both ports 8081 and 8443 forwarding traffic to the internal IP of the web server. should i change this?

3 Likes

im getting the following error now after opening port 80.

C:\Program Files (x86)\Certbot>certbot certonly
Saving debug log to C:\Certbot\log\letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): servicedesk.firsttechfs.co.za
Requesting a certificate for servicedesk.firsttechfs.co.za
Performing the following challenges:
http-01 challenge for servicedesk.firsttechfs.co.za
Waiting for verification...
←[31mChallenge failed for domain servicedesk.firsttechfs.co.za←[0m
http-01 challenge for servicedesk.firsttechfs.co.za
Cleaning up challenges
←[31mSome challenges have failed.←[0m
←[1m
IMPORTANT NOTES:
←[0m - The following errors were reported by the server:

Domain: servicedesk.firsttechfs.co.za
Type: unauthorized
Detail: Invalid response from
http://servicedesk.firsttechfs.co.za/.well-known/acme-challenge/FrU9CRCqLkGpN
XUcTiA_hRjL4FyTauV-WkO7bdpWut8
[165.255.249.18]: 404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain

2 Likes

yes i opened port 80 now and it redirects to port 8443 when i connect on port 80.

2 Likes

Let me try to clarify.

• Port 80 is supposed to be an HTTP port (without TLS/SSL).
• Port 443 is supposed to be an HTTPS port (with TLS/SSL).
• When someone visits http://servicedesk.firsttechfs.co.za/whatever, they are making an HTTP request over port 80.
• When someone visits https://servicedesk.firsttechfs.co.za/whatever, they are making an HTTPS request over port 443.
• When someone visits https://servicedesk.firsttechfs.co.za:80/whatever, they are incorrectly making an HTTPS request over port 80, which should result in an error since port 80 is supposed to speak HTTP.
• When someone visits http://servicedesk.firsttechfs.co.za:443/whatever, they are incorrectly making an HTTP request over port 443, which should result in an error since port 443 is supposed to speak HTTPS.
• Redirecting HTTP ports (like 80) to HTTPS ports (like 8443) will not work since your visitors will be speaking HTTP and your webserver will be speaking HTTPS.
• Redirecting HTTPS ports (like 443) to HTTP ports (like 8081) will not work since your visitors will be speaking HTTPS and your webserver will be speaking HTTP.

Now, the questions remain:

• To what internal port (of your webserver) is your external port 80 (of your router) connected? Any external redirects your webserver makes are not relevant to the answer.
• To what internal port (of your webserver) is your external port 443 (of your router) connected? Any external redirects your webserver makes are not relevant to the answer.

Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

3 Likes

• To what internal port (of your webserver) is your external port 80 (of your router) connected? Any external redirects your webserver makes are not relevant to the answer. - public port 80 forwards to local port 8081 and IP 172.16.30.110 internally (which is where i want the SSL cert to be insalled)

• To what internal port (of your webserver) is your external port 443 (of your router) connected? Any external redirects your webserver makes are not relevant to the answer. - public port 443 forwards to local port 443 (this is used on another external facing server with a different IP as above)

i disabled HTTP to HTTPS redirect requests on the server.

2 Likes

I see two options to fulfill an http-01 challenge:

1. Forward public port 80 to local port 80 of 172.16.30.110 then use:

certbot certonly --standalone -d "servicedesk.firsttechfs.co.za"

1. Determine your webroot directory (which is the directory under which your website content is located) then use:

certbot certonly --webroot -w C:\path\to\your\webroot\directory -d "servicedesk.firsttechfs.co.za" --http-01-port 8081

2 Likes

thanks, i managed to generate the pem files. i had to do a port forward to port 80 and not 8081.

it seems it only works on 80.

sorry, im new to this.

how do i go about creating the ssl cert to import on my website? i am sitting with the PEM files

3 Likes

The files/symlinks in the the live directory point to the most current files in the archive directory. All of the files are in PEM format.

• privkey.pem contains the private key for your certificate
• cert.pem contains your certificate
• chain.pem contains the CA intermediate certificates
• fullchain.pem is the concatenation of cert.pem and chain.pem
2 Likes

In what webserver software (e.g. IIS, Apache, nginx) are you trying to install your certificate?

2 Likes

i managed to get it done using openSSL

generated the .pfx file and imported it to my helpdesk server.

C:\Program Files\OpenSSL-Win64\bin>openssl pkcs12 -export -out certificate.pfx -
inkey privkey.pem -in cert.pem -certfile chain.pem

thanks very much for you assistance!

3 Likes

You are quite welcome!

To automate things, you could run your certbot command again adding ( --deploy-hook script_file ) where script_file contains your openssl pfx conversion command and any other commands for deploying your certificate including reloading your webserver. This way, the autorenewal task can take care of all of the details for you so that you won't need to remember to do so when certbot starts trying to renew your certificate in 60 days.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.