Timeout during connect


#1

Hello

I got http://my.domain.com and https://my.domain.com pointing to a dummy index.html. Which is accessible via the internets. So both port 80/443 should be properly forwarded.

Trying to run:
sudo certbot certonly -w /var/www/html -d my.domain.com
And then I select
2: Place files in webroot directory (webroot)
(unrelated, how do I get this prompt to go away and automatically default it to option 2 from the first command I use?)

It times out with:
Failed authorization procedure. my.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my.domain.com/.well-known/acme-challenge/E20mgpj25X_UR4ck_agCTzuUqFvEWRPPME_NeESnV0E: Timeout during connect (likely firewall problem)

I thought at first for some reason apache wouldn’t serve contents within .well-known, so I tried to manually add a file b with contents ‘Hi’ and perform a
curl -O “http://my.domain.com/.well-known/acme-challenge/b
cat b gives me ‘Hi’
(from another machine, on the same network though)

Tried also to create that example same file just to see if i apache would serve it
curl -O “http://my.domain.com/.well-known/acme-challenge/E20mgpj25X_UR4ck_agCTzuUqFvEWRPPME_NeESnV0E
This ended up working as well.

Any suggestions on what I can try to see what’s not working well?


#2

It would be easier to help if you provided your domain name. If you really don’t want to do that, maybe try checking it yourself with https://letsdebug.net/ and see if that comes up with anything useful.

Add the --webroot option to your certbot command.


#3

You could also try from a system outside your “same network”.


#4

It seems the simplest answer is the correct one in this case. Port 80 is blocked by the ISP :frowning:. So I guess that means http-01 is out of the question. I probably should of tried this simple test first before asking…

I can’t add a txt record, so there goes dns-01.

And if I understood correctly, tls-sni-01 is disabled which explains the following when i add ‘–preferred-challenges tls-sni’
“certbot.errors.AuthorizationError: None of the preferred challenges are supported by the selected plugin”

Oh well :cry:


#5

The ISP blocks port 80 and allow 443?
Well that’s a first! An ISP that forces HTTPS…
While (for security reasons) this CA is now forced to only issue certs via port 80 (not 443).
Catch 22 at it’s finest.


#6

Are you using dynamic DNS? If so would you be willing to switch to a different dynamic DNS service? (Of course that would mean using a different domain name). There are a few such as dynu and duckdns that are supported by acme.sh for example.


#7

Btw, this is for a server that I have at home and I wanted to switch the self signed cert to a real one.

@rg305
It’s a residential service, they explicitly and historically block port 80 to not allow people hosting their own stuff.

@jmorahan
I was using *.mynetgear.com since it was configurable at the router level. I will try dynu with their little client on the server and see how it goes.
I’m not attached to the domain name, so no loss there :slight_smile:
Thanks for this suggestion!


#8

I think we’ve seen quite a few people with this problem here (they generally then had to switch to DNS-01 validation). I’m not sure if anyone’s drawn up a list of affected ISPs.


#9

In that case this recent tutorial may also help.


#10

Thanks for the help and suggestions, finally I got things working with dns-01.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.