Timeout on verification of domain

Niall-Jackson · March 19, 2018, 9:55am

My domain is:
aircoach-admin-iomart.spideronline.co.uk

I ran this command:
certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: aircoach.ie
2: www.aircoach.ie
3: admin.aircoach.ie
4: aircoach-admin-iomart.spideronline.co.uk
5: aircoach-iomart.spideronline.co.uk
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 4
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for aircoach-admin-iomart.spideronline.co.uk
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. aircoach-admin-iomart.spideronline.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://aircoach-admin-iomart.spideronline.co.uk/.well-known/acme-challenge/LTJnb4JuxSnuxNQc7hZMxX_-mEpbZXAUh6dZGOItBwI: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: aircoach-admin-iomart.spideronline.co.uk
   Type:   connection
   Detail: Fetching
   http://aircoach-admin-iomart.spideronline.co.uk/.well-known/acme-challenge/LTJnb4JuxSnuxNQc7hZMxX_-mEpbZXAUh6dZGOItBwI:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):
Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):
Linux version 4.13.0-37-generic (buildd@lcy01-amd64-012) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9)) #42~16.04.1-Ubuntu SMP

My hosting provider, if applicable, is:
Iomart

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

Things that have already been tried:

Domain accessible via other means: yes, the server responds as expected when accessing the domain using web browsers, and using the shell commands ping, curl, telnet, and links.
Issues with IPv6: the DNS has no AAAA record.
Permission issues creating the verification file: even setting the entire web tree to 777 doesn’t help.
Information from the Apache logs: no requests from the verification process appear in the access log, and no errors are logged. Other requests to the site appear in the access log exactly as expected.

Any help would be greatly appreciated.

mnordhoff · March 19, 2018, 9:58am

I can ping it, but trying to connect to http://aircoach-admin-iomart.spideronline.co.uk/ times out.

Are you sure it works from other ISPs? Other countries?

Niall-Jackson · March 19, 2018, 10:00am

I have tried accessing that domain via every server I have a login for – five different servers from different hosting companies across the UK. All tests report no issues.

Where are you connecting from? (More to the point, where does the certbot verifyer connect from?)

Niall-Jackson · March 19, 2018, 10:05am

(Also: the domain aircoach-iomart.spideronline.co.uk was set up in exactly the same way, just previously to the admin version, and validated perfectly on the first try… unfortunately it doesn’t actually need a certificate.)

mnordhoff · March 19, 2018, 10:06am

VPSes in a couple different locations and ISPs in the US.

They have different IP addresses, though.

aircoach-admin-iomart.spideronline.co.uk.  (unsigned)  85892  A   185.19.17.20
aircoach-iomart.spideronline.co.uk.        (unsigned)  86400  A   185.19.17.23

Niall-Jackson · March 19, 2018, 10:47am

Ah. The .23 address is a virtual IP pointing to two load balancers. I would expect that one to be the one that fails…

The DNS records were set up on Friday. Could it be a propagation issue?

sahsanu · March 19, 2018, 10:58am

Hi @Niall-Jackson,

I’ve tested them from 5 different countries (Spain, France, US, UK and Germany):

aircoach-iomart.spideronline.co.uk works perfectly but aircoach-admin-iomart.spideronline.co.uk gives a timeout from all the countries I tested it.

Cheers,
sahsanu

Niall-Jackson · March 19, 2018, 12:44pm

Hi… turns out the hosting company took it upon themselves to block all access (as opposed to just shell access) to the web servers that wasn’t coming from our company IP addresses. Couldn’t have diagnosed it without your help though, so thanks: everything is working now.

system · April 18, 2018, 12:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Manual request gets timeoud Help	5	1075	February 11, 2018
Timeout issue - sorry, I'm new to this stuff Help	3	1979	June 8, 2018
Timeout during connect Help	6	682	October 10, 2018
All ports and files verified and accessible. Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain Help	3	1589	December 22, 2017
Certbot times out Help	10	1833	May 16, 2019

Timeout on verification of domain

Related topics