Timeout During Connect

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:sharedvisionforamerica.org and www.sharedvisionforamerica.org

I ran this command:certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?

1: sharedvisionforamerica.org
2: www.sharedvisionforamerica.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ā€˜cā€™ to cancel): 1,2
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sharedvisionforamerica.org
http-01 challenge for www.sharedvisionforamerica.org
Waiting for verificationā€¦
Cleaning up challenges
Failed authorization procedure. www.sharedvisionforamerica.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.sharedvisionforamerica.org/.well-known/acme-challenge/LEu-jsfqNEolTdXQe5IPc_i08bbPz0IHbqtByp1UnbY: Timeout during connect (likely firewall problem), sharedvisionforamerica.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://sharedvisionforamerica.org/.well-known/acme-challenge/Nn9OeMal9zeJHFh0cWjwc2x4qPUxdD8ZsGjv-wxBI6g: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

My web server is (include version):apache Ver 2.4.6

The operating system my web server runs on is (include version):Centos & ver 7.5.1804

My hosting provider, if applicable, is:No hosting Provider In-house server

I can login to a root shell on my machine (yes or no, or I donā€™t know):Yes

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel):No

We lease a block of publicly routeable IP addresses from Comcast Business Internet Services. One of those addresses is loaded on the External Interface card on this server. I have placed a test index.php file on the server for testing. I am able to get to that web page using either of the domain names above. It displays correctly. I have checked the firewall on the server and both ports 80 and 443 are open for tcp and udp. I am able to ping both domain names and both return the correct IP address and complete the ping request.
I have used dig to check my DNS with the following output from My primary DNS servers:

dig @ns65.domaincontrol.com sharedvisionforamerica.org +short
96.93.196.241
dig @ns66.domaincontrol.com sharedvisionforamerica.org +short
96.93.196.241

I ran the ā€œletsdebugā€ program. It didnā€™t give me anymore information than was contained in the error portion of the certbot --apache authorization attempt.

I am really new at the Linux, Apache, etc world and have only been doing it for a couple of weeks so be gentle! I have honestly tried everything I know to do. Thanks for your help in advance.

Harry

2

Hi @harryalder,

Sorry to hear about the trouble you're facing issuing a certificate.

Hmm! Presently I'm not able to connect to either of your domains (with or with www). The connections hang and timeout which would be what I'd expect given the error message you received about a potential firewall problem from Let's Debug and the Let's Encrypt validation authority.

Have you tried accessing the server from a completely external vantage point? Maybe using something like a random Digital Ocean droplet?

Is it possible that Comcast is applying some sort of filtering or firewall policy?

Not a problem! :slight_smile: I'm confident the community will be able to help you find your way to the solution.

3

Hi, Thanks for your quick reply. I have a few answers.

  1. I just tried by going into a clientā€™s network via PPTP VPN and connected to one of his workstations using Remote Desktop. I was NOT able to connect to either domain from there.
  2. I did some research on that and it appears that the Business side of CC doesnā€™t block any common ports. We have another server that we use for downloading. Its IP is in the same block of addresses as the new server. I havenā€™t tried it from the outside in a while. That server is http://anti-viruspros.com/sophos10. Please try that one. You should be taken to a login screen since it contains non-public information.

Thanks for your help.

1 Like
4

Hi @harryalder,

Ok! We're on the same page now and you're able to reproduce the problem. That's definitely progress :tada:

I'm able to connect to this domain.

Are you using iptables for this firewall or something else?

5

Thanks CPU,

I am really not sure what Iā€™m using for the firewall. It is the one that is installed by default in Centos 7. How can I tell what is in use?

6

You could try dumping the loaded iptables policy with sudo iptables -L (or just iptables -L as run by root).

7

OK, Hereā€™s what I get:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
INPUT_direct  all  --  anywhere             anywhere
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
INPUT_ZONES  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192_168_122_0.local/24  ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192_168_122_0.local/24  anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
FORWARD_direct  all  --  anywhere             anywhere
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere
FORWARD_IN_ZONES  all  --  anywhere             anywhere
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere
FORWARD_OUT_ZONES  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
OUTPUT_direct  all  --  anywhere             anywhere

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination
FWDI_public  all  --  anywhere             anywhere            [goto]
FWDI_public  all  --  anywhere             anywhere            [goto]
FWDI_public  all  --  anywhere             anywhere            [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination
FWDO_public  all  --  anywhere             anywhere            [goto]
FWDO_public  all  --  anywhere             anywhere            [goto]
FWDO_public  all  --  anywhere             anywhere            [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_direct (1 references)
target     prot opt source               destination

Chain FWDI_public (3 references)
target     prot opt source               destination
FWDI_public_log  all  --  anywhere             anywhere
FWDI_public_deny  all  --  anywhere             anywhere
FWDI_public_allow  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere

Chain FWDI_public_allow (1 references)
target     prot opt source               destination

Chain FWDI_public_deny (1 references)
target     prot opt source               destination

Chain FWDI_public_log (1 references)
target     prot opt source               destination

Chain FWDO_public (3 references)
target     prot opt source               destination
FWDO_public_log  all  --  anywhere             anywhere
FWDO_public_deny  all  --  anywhere             anywhere
FWDO_public_allow  all  --  anywhere             anywhere

Chain FWDO_public_allow (1 references)
target     prot opt source               destination

Chain FWDO_public_deny (1 references)
target     prot opt source               destination

Chain FWDO_public_log (1 references)
target     prot opt source               destination

Chain INPUT_ZONES (1 references)
target     prot opt source               destination
IN_public  all  --  anywhere             anywhere            [goto]
IN_public  all  --  anywhere             anywhere            [goto]
IN_public  all  --  anywhere             anywhere            [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain INPUT_direct (1 references)
target     prot opt source               destination

Chain IN_public (3 references)
target     prot opt source               destination
IN_public_log  all  --  anywhere             anywhere
IN_public_deny  all  --  anywhere             anywhere
IN_public_allow  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             udp dpt:https ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination

Chain IN_public_log (1 references)
target     prot opt source               destination

Chain OUTPUT_direct (1 references)
target     prot opt source               destination
[harry@webserver ~]$
8

I admit that a few years of using ufw for my firewalls has let my iptables skills atrophy but it looks to me like this is a FORWARD policy that would reject traffic other than from the local /24.

Are you the only administrator of this machine? Do you know what might be adding that firewall rule? One (perhaps extreme) way to conclusively rule out iptables is by flushing all of the rules with iptables -F and then trying to access the website externally

9

Hi CPU
Sorry I had to leave for a few minutes.

I backed up the iptables and then flushed the rules. Here is what I get now when I list the tables:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
INPUT_direct  all  --  anywhere             anywhere
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
INPUT_ZONES  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192_168_122_0.local/24  ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192_168_122_0.local/24  anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
FORWARD_direct  all  --  anywhere             anywhere
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere
FORWARD_IN_ZONES  all  --  anywhere             anywhere
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere
FORWARD_OUT_ZONES  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
OUTPUT_direct  all  --  anywhere             anywhere

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination
FWDI_public  all  --  anywhere             anywhere            [goto]
FWDI_public  all  --  anywhere             anywhere            [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination
FWDO_public  all  --  anywhere             anywhere            [goto]
FWDO_public  all  --  anywhere             anywhere            [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_direct (1 references)
target     prot opt source               destination

Chain FWDI_public (2 references)
target     prot opt source               destination
FWDI_public_log  all  --  anywhere             anywhere
FWDI_public_deny  all  --  anywhere             anywhere
FWDI_public_allow  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere

Chain FWDI_public_allow (1 references)
target     prot opt source               destination

Chain FWDI_public_deny (1 references)
target     prot opt source               destination

Chain FWDI_public_log (1 references)
target     prot opt source               destination

Chain FWDO_public (2 references)
target     prot opt source               destination
FWDO_public_log  all  --  anywhere             anywhere
FWDO_public_deny  all  --  anywhere             anywhere
FWDO_public_allow  all  --  anywhere             anywhere

Chain FWDO_public_allow (1 references)
target     prot opt source               destination

Chain FWDO_public_deny (1 references)
target     prot opt source               destination

Chain FWDO_public_log (1 references)
target     prot opt source               destination

Chain INPUT_ZONES (1 references)
target     prot opt source               destination
IN_public  all  --  anywhere             anywhere            [goto]
IN_public  all  --  anywhere             anywhere            [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain INPUT_direct (1 references)
target     prot opt source               destination

Chain IN_public (2 references)
target     prot opt source               destination
IN_public_log  all  --  anywhere             anywhere
IN_public_deny  all  --  anywhere             anywhere
IN_public_allow  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination

Chain IN_public_log (1 references)
target     prot opt source               destination

Chain OUTPUT_direct (1 references)
target     prot opt source               destination

I tried accessing the sites again from the VPN and couldnā€™t get in. Maybe you should try. After I ran the Flush command I restarted the firewalld service. Was that appropriate? The tables donā€™t look very different to me, but then again I donā€™t really know what I am looking at.

I noticed what looks like an IP address in both the before and the after tables list. It actually was 192_168_122_0/24. We do not have any addressing like and have never used that particular set of addresses.

10

Another point of interest is that we have two NIC cards in this server. One is local with a 192.168ā€¦address and the External NIC which has the address of the site. I opened port 80 and 443 on the external side. I can get to the site internally but now I canā€™t reach it with the FQDN or the external IP address.

11

Hi again @harryalder,

I tried to access the sites today and experienced the same timeout.s

Unfortunately I'm not a CentOS user and don't know what firewalld is. If its like ufw it may be managing iptables rules for you. I would recommend you try to find out if you have some firewall rules being managed by that daemon that might explain the timeouts.

Another thought: You mentioned a separate server earlier http://anti-viruspros.com/sophos10 - Are you using some kind of Sophos security application or Web-Application Firewall in your network that might be blocking access?

Overall we might be reaching the limits of my own abilities to help you debug what component on your side is blocking access to the websites and the Let's Encrypt validation requeests :frowning: Perhaps someone with a stronger CentOS system administration background would have better suggestions.

12

Hi Daniel,

Well, thatā€™s more than a little disappointing, but I certainly do understand. Firewalld is the service used in Centos to act as a GUI for iptables or at least thatā€™s what I think it is. Like I said, Iā€™ve only been doing this Linux thing for about 10 to 14 days. I do like it though. Itā€™s more like my old DOS days with the command line, scripts, etc. Iā€™m not very happy with that firewalld interface anyway so I may disable it and try UFW and see what thatā€™s about. What have I got to loose. All I can do is blow up the server and I know how to install another one now. I think the problem really is a networking issue. That is, I canā€™t ping my external NIC from outside my office. I think that once I solve that problem the encrypt thing will work.

By the way, the server we are working on is only behind its own firewall. It is connected directly to the Internet with its own routable IP address. Nothing is between it and the open blue skies of the Internet except a cable and a modem. The other one that you tried is a Windows IIS server hosting the website. It does sit behind a ClearOS Linux firewall with a number of ports, including 80, being forwarded to that Windows server. Windows has been my thing for as long as Windows has been around and before that it was DOS since the day it was born. Yes, I am older than dirt.

If I get this fixed, I will let you know what I did to fix it. That might help some other poor soul with the same issue. Also, if you have any flashes of brilliance, please let me know. You have my private email address.

Have a really great day, my friend.

Thanks sincerely for your help and good luck to you.

Harry

Golden, CO USA

13

That does sound like promising avenue of investigation :+1:

Best of luck! I apologize that I wasn't able to find you to a complete solution. I look forward to hearing about the root cause :slight_smile:

You as well!

14

Hi @harryalder ,

For CentOS7 running a default setup of firewalld, this is how you can open http and https in a way that will persist through reboots. This example shows the command run with output.

First show the current allowed services.

$firewall-cmd --list-services
ssh mdns dhcpv6-client

Next add your services/ports. http and https are predefined in firewalld so we can just use the names.

$firewall-cmd --permanent --add-service=http --add-service=https
success

Now to reload the firewalld to enable the changes.

$firewall-cmd --reload
success

Now you can verify by checking with the same --list-services command and see that http https have been added.

$firewall-cmd --list-services
ssh mdns dhcpv6-client http https

That should at least get you to the point of feeling confident that the hostā€™s firewall is allowing external connection to those ports. Firewalld can certainly get more complicated, but if it is the default installed by CentOS then that should do what you need.

Hopefully that helps. Best of luck in your Linux adventure!

2 Likes
15

Hi Andy,

Thank you so much for your reply to my problem. I ran the suggested command which returned the following:

ssh dhcpv6-client http https

From this I would guess that ports 80 and 443 are open in the firewall for http and https.

Hereā€™s my real issue. First, I have only been working with Linux for a little less than two weeks so if I donā€™t say something in exactly the right way, please be kind and just ask me again. Secondly, the issue I believe that I am having, has to do primarily with the external network card. A little background here would probably help. I originally built this server with two Ethernet adapters; one was for internal use which has a 192.168.xxx.xxx private internal address. The second card was on an address (96.93.196.241) from one of the public IP blocks that we lease from Comcast Business and was for external access to our website. Everything appeared to be working and I could SSH into the server using either address from a workstation here. I could also get to a test index page for our site from the workstation using either the Internal or External address of the server. I later assumed that the reason I could get to the external address was because that IP belongs to a block of addresses that we use here for other servers and firewalls and that our main firewall or Comcast was routing the request internally since the firewall is on the same subnet as this server. (This server is not connected to a firewall other than the internal firewalld in the CentOS). When I tried to install a Letā€™s Encrypt security cert, the authentication procedure timed out. I contacted you guys and Danial figured out that my site could not be reached from the outside of my office. After a couple of days with Danial providing excellent advice we could not solve the problem. Danial said that he just wasnā€™t that familiar with CentOS 7 to be able to help me troubleshoot my issue. I completely understood that so I deactivated the local card and changed ONBOOT to no so that it would not load the card every time I rebooted. I then proceeded to troubleshoot the external card. At first the card would really do nothing. I could not reach any website nor could I ping any external address including the ISPā€™s Gateway address assigned for this IP block. I know that if you canā€™t ping the gateway for the card, you are really not going anywhere. I found that there was a /24 or 255.255.255.0 subnet showing in ifconfig when I did an ifconfig -a from the command line. The ifcfg-enp8s0 file showed the correct subnet /28 or 255.255.255.240. the correct value /28 also appeared in the nmtui utility when I checked the status of the card. I have no idea why it showed up incorrectly in the ifconfig screen when it was correct in the other two places. Anyway I got that fixed and that brings us up to date as to where we are now. The internal card is deactivated and I can ping the stated gateway address for the IP I am using. I can not ping other outside addresses nor reach any website using DNS or the siteā€™s direct IP address.

I am sorry that this was so long, but I wanted you to understand the whole picture. I am now wondering if there might be a routing problem. Iā€™m at a bit of a loss at this point. Any help that you could provide me as to where to go from here (be careful now) would be more than greatly appreciated.

Again, thanks for your reply and your help in advance.

Harry

Golden, CO, USA

16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.