Timeout during connect


I got http://my.domain.com and https://my.domain.com pointing to a dummy index.html. Which is accessible via the internets. So both port 80/443 should be properly forwarded.

Trying to run:
sudo certbot certonly -w /var/www/html -d my.domain.com
And then I select
2: Place files in webroot directory (webroot)
(unrelated, how do I get this prompt to go away and automatically default it to option 2 from the first command I use?)

It times out with:
Failed authorization procedure. my.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my.domain.com/.well-known/acme-challenge/E20mgpj25X_UR4ck_agCTzuUqFvEWRPPME_NeESnV0E: Timeout during connect (likely firewall problem)

I thought at first for some reason apache wouldn’t serve contents within .well-known, so I tried to manually add a file b with contents ‘Hi’ and perform a
curl -O “http://my.domain.com/.well-known/acme-challenge/b
cat b gives me ‘Hi’
(from another machine, on the same network though)

Tried also to create that example same file just to see if i apache would serve it
curl -O “http://my.domain.com/.well-known/acme-challenge/E20mgpj25X_UR4ck_agCTzuUqFvEWRPPME_NeESnV0E
This ended up working as well.

Any suggestions on what I can try to see what’s not working well?

It would be easier to help if you provided your domain name. If you really don't want to do that, maybe try checking it yourself with https://letsdebug.net/ and see if that comes up with anything useful.

Add the --webroot option to your certbot command.

You could also try from a system outside your "same network".

It seems the simplest answer is the correct one in this case. Port 80 is blocked by the ISP :frowning:. So I guess that means http-01 is out of the question. I probably should of tried this simple test first before asking…

I can’t add a txt record, so there goes dns-01.

And if I understood correctly, tls-sni-01 is disabled which explains the following when i add ‘–preferred-challenges tls-sni’
“certbot.errors.AuthorizationError: None of the preferred challenges are supported by the selected plugin”

Oh well :cry:

The ISP blocks port 80 and allow 443?
Well that's a first! An ISP that forces HTTPS...
While (for security reasons) this CA is now forced to only issue certs via port 80 (not 443).
Catch 22 at it's finest.

Are you using dynamic DNS? If so would you be willing to switch to a different dynamic DNS service? (Of course that would mean using a different domain name). There are a few such as dynu and duckdns that are supported by acme.sh for example.

Btw, this is for a server that I have at home and I wanted to switch the self signed cert to a real one.

It’s a residential service, they explicitly and historically block port 80 to not allow people hosting their own stuff.

I was using *.mynetgear.com since it was configurable at the router level. I will try dynu with their little client on the server and see how it goes.
I’m not attached to the domain name, so no loss there :slight_smile:
Thanks for this suggestion!

I think we’ve seen quite a few people with this problem here (they generally then had to switch to DNS-01 validation). I’m not sure if anyone’s drawn up a list of affected ISPs.

In that case this recent tutorial may also help.

1 Like

Thanks for the help and suggestions, finally I got things working with dns-01.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.