Timeout when certbot --standalone on fetching .well-known/acme-challenge

My domain is: dev-o13.security-warehouse.com

I ran this command: certbot certonly --standalone -d dev-o13.security-warehouse.com

It produced this output:

Performing the following challenges:
http-01 challenge for dev-o13.security-warehouse.com
Waiting for verification...
Challenge failed for domain dev-o13.security-warehouse.com
http-01 challenge for dev-o13.security-warehouse.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: dev-o13.security-warehouse.com
  Type: connection
  Detail: 139.162.58.60: Fetching
  http://dev-o13.security-warehouse.com/.well-known/acme-challenge/dVDeIJzkXRuOtNPU7fqvi7hr0ku8xDv0JlL3qeWbTJA:
  Timeout during connect (likely firewall problem)

My web server is (include version): standalone should not require webserver, but i am using nginx and i have stop nginx to release port 80.

The operating system my web server runs on is (include version): ubuntu 20

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes, i ran the command from shell.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.40.0

I'm getting a timeout too and not just for the challenge, but for that hostname altogether. As the error suggests, is there any firewall blocking port 80? I can see the host is up, as it replies to pings, but no common port seems to be open.

Also: if you have an instance of nginx running, why are you using the standalone plugin? Not that it's related to your firewall issue though, but more in general..

thanks for your reply. i have it fixed.

yes, you're right. i have a firewall ufw allow port 80 ( as i thought, i have done that many times ), but i review using ufw status as below,

Anywhere ALLOW 433
Anywhere ALLOW 80

i disable the ufw and certbot command succeed immediately then i realize my rule is wrongly defined and as you said port 80 not open.

so i add another one ufw allow 'Nginx Full', then it works.

why i use standalone because i just want it as simple as possible and edit the nginx.conf myself to add the ssl_certificates and related definitions.

the certbot error message has pointed out the suspicious firewall issue but just i was unable to find the exact issue as i thought my firewall didn't block.

Shouldn't that be 443?

You could use certbot certonly with --nginx authenticator or --webroot authenticator.
And you would NOT have to stop the web service.

I concur with Rudy here. If you don't want Certbot to mess with your nginx configuration in any way, which I can understand, I'd recommend using the certonly subcommand with the --webroot plugin. I'd only use standalone if it was a webserver-less host, such as a standalone mailserver or something similar.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.