Timeout error on Fetching

Hello,

I am trying to install strongSwan VPN server on Ubuntu 17.10.1. There is a bash script on GitHub (https://github.com/jawj/IKEv2-setup) to automate the whole process. Part of this automation is installing LetsEncrypt certificate on server, however it fails. Therefore I examined the mentioned script and found the following command:

“certbot certonly --non-interactive --agree-tos --email $EMAIL --standalone -d $VPNHOST”

and the result of the above command:

=======================================================================
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Running pre-hook command: /sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vpn.mydomain.net
Waiting for verification…
Cleaning up challenges
Running post-hook command: /sbin/iptables -D INPUT -p tcp --dport 443 -j ACCEPT
Failed authorization procedure. vpn.mydomain.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://vpn.mydomain.net/.well-known/acme-challenge/FNq1EXqDVwxSzKRy_5CApaGc1QgjSwy1tjdezt8S7ws: Timeout

IMPORTANT NOTES:

The server is Ubuntu 17.10.1, only SSH server is installed. I have triple checked that vpn.mydomain.net resolves to correct IP address.

Your help is highly appreciated.

Thank you.
Omid

This is often an issue involving advertising an AAAA record that doesn’t actually connect, but without your real domain name all we can do is guess. That error means that, for any number of reasons, Let’s Encrypt was unable to connect to your web server.

Hello Jared,

Thank you. The server hostname is “oh01.solidvpn.net”. It should resolve to 206.222.3.162 and it does.

Thank you
Omid

You might need to change that to 80 due to the security issue?

Hello jmorahan,

Is that going to solve my problem?

Thanks
Omid

Also please note that i just have A record on my DNS not any AAAA, and no web server is installed. I assume that is fine considering that I need an standalone certificate to secure the VPN connection not a particular web site.

That’s what I’m hoping. More specifically here where it’s set in the script.

Validation over port 443 is disabled due to a security issue. Certbot is capable of using port 80 as a fallback (depending on the version and which plugin you use, but in your case it should work).

Now I’m just guessing but if you needed to explicitly open port 443, you might need to explicitly open port 80 instead now.

Thank you very much @jmorahan. Problem solved.

Thank you.
Omid

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.