Timeout Problem

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: portal.viaem.de

I ran this command: certbot certonly --webroot --webroot-path /var/www/viaem -d portal.viaem.de --test-cert --dry-run -v

It produced this output:
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “Fetching http://portal.viaem.de/.well-known/acme-challenge/zi1wco-EDJOYHfXXDYHwCkjfQE-wBkJbIR4jkyD_kKU: Timeout”,
“status”: 400

My web server is (include version):
docker nginx/latest

The operating system my web server runs on is (include version):
debian stretch
My hosting provider, if applicable, is:
dynamic ip to server at home

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel)

I see the contact of the letsencrypt server in the logs of the reverse proxy:
52.29.173.72 - - [18/Dec/2017:21:56:12 +0000] “GET /.well-known/acme-challenge/zi1wco-EDJOYHfXXDYHwCkjfQE-wBkJbIR4jkyD_kKU HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)” “-”

I placed a file test.txt in
/var/www/viaem/.well-known/acme-challenge
And if I connect from outside to
portal.viaem.de/.well-known/acme-challenge/test.txt
I get the content “Hello”

the configuration file of my reverse proxy:

server {
listen 80;
server_name portal.viaem.de;
location / {
proxy_pass http://portal.viaem.de:8080;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location /.well-known/acme-challenge {
default_type “text/plain”;
root /var/www/viaem;
}
}
server {
listen 443;
server_name portal.viaem.de;
ssl on;
ssl_certificate /etc/nginx/certs/letsencrypt/live/portal.viaem.de/fullchain.pem;
ssl_certificate_key /etc/nginx/certs/letsencrypt/live/portal.viaem.de/privkey.pem;
ssl_trusted_certificate /etc/nginx/certs/letsencrypt/live/portal.viaem.de/chain.pem;

location / {
  proxy_pass https://portal.viaem.de:445;
  proxy_set_header   Host $host;
  proxy_set_header   X-Real-IP $remote_addr;
  proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header   X-Forwarded-Host $server_name;
}
location  /.well-known/acme-challenge {
  default_type "text/plain";
  root /var/www/viaem;
}

}

I used to have a separate certbot container that I started to renew the certificates. I had to stop the reverse proxy for that so that I could forward the ports 80 and 443 to the certbot container. I didn’t want to do that any longer so I installed the certbot in the reverse proxy nginx container and used docker exec to start certbot. Unfortunately my old setup doesn’t work any longer. I have no idea why.

The old certbot container Dockerfile:
FROM debian:latest
RUN apt-get update && apt-get install -y
certbot coreutils iputils-ping
WORKDIR /root
EXPOSE 80 443
ENTRYPOINT ["/usr/bin/certbot"]

The part in the docker-compose.yml file
certbot:
build:
context: ./certbot
container_name: certbot
ports:
- “80:80”
- "443:443"
volumes:
- vol_letsencrypt_viaem:/var/www/viaem
- ./certbot/etc_letsencrypt:/etc/letsencrypt
- ./certbot/lib_letsencrypt:/var/lib/letsencrypt

During the last attempts I added a --test-cert but the result was the same.

Setup:
I’ve got a DSL router and a pfsense firewall behind that. Port forwarding is configured in both to the virtual machine that contains the docker containers.

Hello,

Your server is not presently accessible from the outside internet via HTTP. I have tried this from multiple networks and they all failed.

$ curl --connect-timeout 10 -i http://portal.viaem.de
curl: (28) Connection timed out after 10001 milliseconds

wow, this answer is fast.

Hm, I just opened a vpn tunnel to the company I work with. From there I can reach the page without any problems. (I use an internet explorer) The page is very slow at the moment, but it should open within 10 s.

What is the difference here?

I just made another check. I opened a hot spot on my mobile, connected a laptop to that and could again reach the site without any trouble.
And I even see the contact of the letsencrypt server in the logs of the reverse proxy.

The site should be reachable.
It’s close to midnight. I’ll try to get some sleep. Maybe tomorrow offers some better opportunities.

It’s hard to say without an internal view to your infrastructure (firewalls, etc). Perhaps a firewall policy on the web server, that permits the VPN.

Is 79.231.174.70 the same IP address that your VPN sees? I will mention that the only port that appears open on that server, for me, is 5060/tcp.

In any case, the hard timeout for Let’s Encrypt to connect and perform the request is 5000 10,000ms.

I know for tls-sni-01, it's now 10s. I'm not positive, but I assume that change was made for http-01 as well.

Thats definitely my ip. The port 5060 is my sip telephone.
You don’t see ports 80 and 443 open? Weired.

I see an answer of the page within less than a second.

ok, I have to get up in five hours … I won’t look good tomorrow.

Thanks for your help. I’ll try again tromorrow.

I got it
I had some geoblocking activated some time ago. I thought I already had deactivated it. That was an error.

Thanks for your help. You saved my day … night to be precise.

You're correct - both tls-sni-01 and http-01 are using a 10s timeout now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.