Timeout error during certificate renew even though curl works

I am trying to renew certificate but get timeout error. I checked availability of ports 80 and 443 from Port Checker - Check Open Ports Online, and website seems reachable in Website Uptime Test: Check Website Status | Uptrends. But http-01 challenge is failing. During the challenge I tried curl http://air.cs.itu.edu.tr/.well-known/acme-challenge/4cYht4W9exJbmOib2GwxKnUpPV2EYxrpyB8ZdMSGLvQ from another server (outside of this domain) and I can read the file. I currently disabled https redirection to test if this is the issue but it seems not.

My domain is: air.cs.itu.edu.tr

I ran this command: sudo certbot renew --apache -vv --debug-challenges

It produced this output:

  • The following errors were reported by the server:

    Domain: air.cs.itu.edu.tr
    Type: connection
    Detail: 160.75.154.23: Fetching
    http://air.cs.itu.edu.tr/.well-known/acme-challenge/4cYht4W9exJbmOib2GwxKnUpPV2EYxrpyB8ZdMSGLvQ:
    Timeout after connect (your server may be slow or overloaded)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.27.0

I also checked information on https://check-your-website.server-daten.de/?q=air.cs.itu.edu.tr, but not sure which ones are related to problem, can not using IPv6 cause a problem? Thanks for your help.

It looks like your server or firewall may be filtering/blocking http validation requests coming from Let's Encrypt and some other IPs, it also looks like your domain may be rate limited (too many other certs issued for itu.edu.tr recently):

3 Likes

Is domain validated from different addresses? I see TCP packets from letsencrypt during the challenge but if there are multiple servers this could explain that. How can I verify this is a firewall/blocking problem?

You are likely affected by a Palo Alto Networks brand firewall. Check its Application Rules for something like "acme protocol" and ensure it is allowed.

Test requests to your domain timeout but only for requests to the acme challenge that also use a "user agent" string the same as Let's Encrypt server uses. See below for a different person who had this same problem.

Just substitute your domain name for the ones in that post and yours fails in the same way. Specifically:

curl -I -m10 air.cs.itu.edu.tr/.well-known/acme-challenge/TestForum123 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received

curl -I air.cs.itu.edu.tr/.well-known/acme-challenge/TestForum123
HTTP/1.1 404 Not Found
Date: Thu, 04 Aug 2022 14:16:56 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
6 Likes

I will contact to people who manage firewall, thanks for the help.

2 Likes