Timeout error on Fetching

Omid · January 18, 2018, 4:05pm

Hello,

I am trying to install strongSwan VPN server on Ubuntu 17.10.1. There is a bash script on GitHub (https://github.com/jawj/IKEv2-setup) to automate the whole process. Part of this automation is installing LetsEncrypt certificate on server, however it fails. Therefore I examined the mentioned script and found the following command:

“certbot certonly --non-interactive --agree-tos --email $EMAIL --standalone -d $VPNHOST”

and the result of the above command:

=======================================================================
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Running pre-hook command: /sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for vpn.mydomain.net
Waiting for verification…
Cleaning up challenges
Running post-hook command: /sbin/iptables -D INPUT -p tcp --dport 443 -j ACCEPT
Failed authorization procedure. vpn.mydomain.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://vpn.mydomain.net/.well-known/acme-challenge/FNq1EXqDVwxSzKRy_5CApaGc1QgjSwy1tjdezt8S7ws: Timeout

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: vpn.mydomain.net
Type: connection
Detail: Fetching
http://vpn.mydomain.net/.well-known/acme-challenge/FNq1EXqDVwxSzKRy_5CApaGc1QgjSwy1tjdezt8S7ws:
Timeout
==============================================================================

The server is Ubuntu 17.10.1, only SSH server is installed. I have triple checked that vpn.mydomain.net resolves to correct IP address.

Your help is highly appreciated.

Thank you.
Omid

jared.m · January 18, 2018, 4:07pm

This is often an issue involving advertising an AAAA record that doesn’t actually connect, but without your real domain name all we can do is guess. That error means that, for any number of reasons, Let’s Encrypt was unable to connect to your web server.

Omid · January 18, 2018, 4:09pm

Hello Jared,

Thank you. The server hostname is “oh01.solidvpn.net”. It should resolve to 206.222.3.162 and it does.

Thank you
Omid

jmorahan · January 18, 2018, 4:12pm

You might need to change that to 80 due to the security issue?

Omid · January 18, 2018, 4:13pm

Hello jmorahan,

Is that going to solve my problem?

Thanks
Omid

Omid · January 18, 2018, 4:15pm

Also please note that i just have A record on my DNS not any AAAA, and no web server is installed. I assume that is fine considering that I need an standalone certificate to secure the VPN connection not a particular web site.

jmorahan · January 18, 2018, 4:29pm

That’s what I’m hoping. More specifically here where it’s set in the script.

Validation over port 443 is disabled due to a security issue. Certbot is capable of using port 80 as a fallback (depending on the version and which plugin you use, but in your case it should work).

Now I’m just guessing but if you needed to explicitly open port 443, you might need to explicitly open port 80 instead now.

Omid · January 18, 2018, 4:52pm

Thank you very much @jmorahan. Problem solved.

Thank you.
Omid

system · February 17, 2018, 4:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.