Timeout receving the certificate

Help
23

A post was split to a new topic: Unknown problem accessing Let's Encrypt API

24

Yes, comms problems like that can be very difficult to debug and resolve. I think you are now convinced this is not related to Let's Encrypt.

I am not sure this will help you but sometimes a traceroute helps identify where to look or who best to contact. You may need to involve your ISP or other networking specialists. You have ways to reproduce the problem so that helps.

Below are traceroutes from a server running in an AWS US East Coast region.

This uses port 80. It never reaches you

 sudo traceroute -T -p80 -6 -m 100 dev.tierschnack.de
traceroute to dev.tierschnack.de (2a03:7847:2252:180:5054:ff:fe6c:13d1), 100 hops max, 80 byte packets
 1  (hops 1-9 omitted)
...
10  SWN-STADTWE.edge1.Hamburg1.Level3.net (2001:1900:5:2:2:0:8:7d7e)  96.465 ms *  96.767 ms
11  ae-11.edge1.Washington111.Level3.net (2001:1900:4:3::975)  1.582 ms 2a03:7840:1fc:30::1 (2a03:7840:1fc:30::1)  97.503 ms ae-11.edge1.Washington111.Level3.net (2001:1900:4:3::975)  1.560 ms
12  2a03:7847:2252:100:185:12:88:130 (2a03:7847:2252:100:185:12:88:130)  100.465 ms lo0.0.edge4.Hamburg1.level3.net (2001:1900:2::3:17f)  95.642 ms *
13  2a03:7847:2252:101:20d:b9ff:fe4c:5325 (2a03:7847:2252:101:20d:b9ff:fe4c:5325)  101.451 ms SWN-STADTWE.edge1.Hamburg1.Level3.net (2001:1900:5:2:2:0:8:7d7e)  96.629 ms  96.593 ms
14  2620:107:4000:8001::21 (2620:107:4000:8001::21)  11.006 ms * *
15  2a03:7847:2252:100:185:12:88:130 (2a03:7847:2252:100:185:12:88:130)  98.974 ms 2a03:7847:2252:101:20d:b9ff:fe4c:5325 (2a03:7847:2252:101:20d:b9ff:fe4c:5325)  99.673 ms *
16  * * *
17  * * *
18  * SWN-STADTWE.edge1.Hamburg1.Level3.net (2001:1900:5:2:2:0:8:7d7e)  96.937 ms *
19  * * *
20  * * *
21  * * *
(repeats this and never finishes)

Here is a traceroute using port 443. This is a normal result as you can see your IPv6 address in the last step.

sudo traceroute -T -p443 -6 -m 100 dev.tierschnack.de
traceroute to dev.tierschnack.de (2a03:7847:2252:180:5054:ff:fe6c:13d1), 100 hops max, 80 byte packets
 1  (hops 1-6 omitted)
...
 7  2620:107:4000:cfff::f202:d445 (2620:107:4000:cfff::f202:d445)  0.970 ms * *
 8  ae-11.edge1.Washington111.Level3.net (2001:1900:4:3::975)  1.464 ms  1.571 ms  1.546 ms
 9  * lo0.0.edge4.Hamburg1.level3.net (2001:1900:2::3:17f)  95.408 ms  95.384 ms
10  SWN-STADTWE.edge1.Hamburg1.Level3.net (2001:1900:5:2:2:0:8:7d7e)  96.369 ms 2620:107:4000:cfff::f3ff:1b41 (2620:107:4000:cfff::f3ff:1b41)  0.552 ms ae-11.edge1.Washington111.Level3.net (2001:1900:4:3::975)  2.254 ms
11  ae-11.edge1.Washington111.Level3.net (2001:1900:4:3::975)  22.800 ms  22.758 ms  22.747 ms
12  * * *
13  2620:107:4000:cfff::f202:d547 (2620:107:4000:cfff::f202:d547)  1.055 ms * *
14  2a03:7847:2252:180:5054:ff:fe6c:13d1 (2a03:7847:2252:180:5054:ff:fe6c:13d1)  103.131 ms 2620:107:4000:8001::21 (2620:107:4000:8001::21)  0.955 ms 2a03:7840:1fc:30::1 (2a03:7840:1fc:30::1)  97.321 ms
3 Likes
25

Many thanks fr your effort, @MikeMcQ
And guess what, I had the same idea:
https://community.keyhelp.de/viewtopic.php?p=49561#p49561

 5  ipv6.de-cix.fra.de.as207790.stadtwerke-neumuenster.de (2001:7f8::3:2bae:0:1)  14.676 ms  14.778 ms  14.887 ms
 6  2a03:7840:1fc:30::1 (2a03:7840:1fc:30::1)  16.859 ms  16.534 ms  16.604 ms
 7  2a03:7847:2252:100:185:12:88:130 (2a03:7847:2252:100:185:12:88:130)  16.127 ms  18.885 ms  19.000 ms
 8  2a03:7847:2252:101:20d:b9ff:fe4c:5325 (2a03:7847:2252:101:20d:b9ff:fe4c:5325)  19.856 ms  19.970 ms  20.076 ms
 9  * * *

Hop 7 is my fritz box (FreeBSD is weak at PPPoE), Hop8 my OPNsense.
So the problem is in my LAN.
What stays strange is that I from a VPS with NetCup or IONOS see port 80 open, others don't.

2 Likes
26

Have you tried restarting your fritz box? Sometimes when very odd things happen it is worth a try.

2 Likes
27

I tried, but it didn't work, I'll now compare the IP config of the two hosts in my LAN which use LE, one is a plain Debian with certbot and one Debian with KeyHelp.
I think it might be an routing issue, while t is still strange, that some see port 80 open and some do not.

1 Like
28

So, finally, it works. Was a rules problem in my firewall.
But still no clue why it worked from some hosts and not from others.
But for the moment I'm happy and don't really care why :slight_smile:
The thx goes to Florian from the KeyHelp support forum.

3 Likes
29

Just to close the thread here without having to check the KeyHelp forum ...

Florian saw you had IPv4 as the version for the port 80 rule rather than your needed IPv6 (as you are IPv6-only)

And for some reason it caused inconsistent connection results to port 80

Thanks for reporting the final result.

2 Likes
30

Yes that was exactly my problem.
Hosts who are capable of IPv6 were able to reach all hosts inside the LetsEncrypt alias.
But as LE tried to reach via IPv4 it was blocked caused a wrong rule.
I must have cleaned up the rules some months ago and didn't notice the effect.
Thanks all for your help, and I think this can be closed now, if required, or marked as solved, or whatever :slight_smile:

1 Like
31

Already did :slight_smile:

LE would not try IPv4 as there was no IPv4 A address in the DNS.

And, the problem wasn't related to LE queries anyway. We saw failures from various clients just doing requests for your "home" page (even my own tests).

For some reason your firewall device got confused by your mix of a firewall rule you setup as IPv4 but that was associated with your profile (that you called "LetsEncrypt") that only had IPv6 addresses in it. Seems like a bug in that firewall handling that mixture but I doubt the vendor would care much to pursue :slight_smile:

3 Likes
32

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.