Timeout on verification of domain


#1

My domain is:
aircoach-admin-iomart.spideronline.co.uk

I ran this command:
certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: aircoach.ie
2: www.aircoach.ie
3: admin.aircoach.ie
4: aircoach-admin-iomart.spideronline.co.uk
5: aircoach-iomart.spideronline.co.uk
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 4
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aircoach-admin-iomart.spideronline.co.uk
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. aircoach-admin-iomart.spideronline.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://aircoach-admin-iomart.spideronline.co.uk/.well-known/acme-challenge/LTJnb4JuxSnuxNQc7hZMxX_-mEpbZXAUh6dZGOItBwI: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: aircoach-admin-iomart.spideronline.co.uk
   Type:   connection
   Detail: Fetching
   http://aircoach-admin-iomart.spideronline.co.uk/.well-known/acme-challenge/LTJnb4JuxSnuxNQc7hZMxX_-mEpbZXAUh6dZGOItBwI:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):
Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Linux version 4.13.0-37-generic (buildd@lcy01-amd64-012) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)) #42~16.04.1-Ubuntu SMP

My hosting provider, if applicable, is:
Iomart

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Things that have already been tried:

  • Domain accessible via other means: yes, the server responds as expected when accessing the domain using web browsers, and using the shell commands ping, curl, telnet, and links.
  • Issues with IPv6: the DNS has no AAAA record.
  • Permission issues creating the verification file: even setting the entire web tree to 777 doesn’t help.
  • Information from the Apache logs: no requests from the verification process appear in the access log, and no errors are logged. Other requests to the site appear in the access log exactly as expected.

Any help would be greatly appreciated.


#2

I can ping it, but trying to connect to http://aircoach-admin-iomart.spideronline.co.uk/ times out.

Are you sure it works from other ISPs? Other countries?


#3

I have tried accessing that domain via every server I have a login for – five different servers from different hosting companies across the UK. All tests report no issues.

Where are you connecting from? (More to the point, where does the certbot verifyer connect from?)


#4

(Also: the domain aircoach-iomart.spideronline.co.uk was set up in exactly the same way, just previously to the admin version, and validated perfectly on the first try… unfortunately it doesn’t actually need a certificate.)


#5

VPSes in a couple different locations and ISPs in the US.

They have different IP addresses, though.

aircoach-admin-iomart.spideronline.co.uk.  (unsigned)  85892  A   185.19.17.20
aircoach-iomart.spideronline.co.uk.        (unsigned)  86400  A   185.19.17.23

#6

Ah. The .23 address is a virtual IP pointing to two load balancers. I would expect that one to be the one that fails…

The DNS records were set up on Friday. Could it be a propagation issue?


#7

Hi @Niall-Jackson,

I’ve tested them from 5 different countries (Spain, France, US, UK and Germany):

aircoach-iomart.spideronline.co.uk works perfectly but aircoach-admin-iomart.spideronline.co.uk gives a timeout from all the countries I tested it.

Cheers,
sahsanu


#8

Hi… turns out the hosting company took it upon themselves to block all access (as opposed to just shell access) to the web servers that wasn’t coming from our company IP addresses. Couldn’t have diagnosed it without your help though, so thanks: everything is working now.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.