Timeout when renewing certificate - firewall?

Hi there,
I've been searching the forums here for a couple hours and have not found a solution so I'm taking a chance and posting. I currently am hosting a web site on my cable modem and all is well. Incoming connections to http get redirected to https and the site is performing as expected. What I am not able to do is renew my certs.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hamradio.solutions

I ran this command: sudo certbot --apache --dry-run renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/cloud9.hamradio.solutions.conf


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for cloud9.hamradio.solutions
Performing the following challenges:
http-01 challenge for cloud9.hamradio.solutions
Waiting for verification...
Challenge failed for domain cloud9.hamradio.solutions
http-01 challenge for cloud9.hamradio.solutions
Cleaning up challenges
Failed to renew certificate cloud9.hamradio.solutions with error: Some challenges have failed.


Processing /etc/letsencrypt/renewal/hamradio.solutions.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Simulating renewal of an existing certificate for hamradio.solutions and cloud9.hamradio.solutions
Performing the following challenges:
http-01 challenge for cloud9.hamradio.solutions
http-01 challenge for hamradio.solutions
Waiting for verification...
Challenge failed for domain cloud9.hamradio.solutions
Challenge failed for domain hamradio.solutions
http-01 challenge for cloud9.hamradio.solutions
http-01 challenge for hamradio.solutions
Cleaning up challenges
Failed to renew certificate hamradio.solutions with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/cloud9.hamradio.solutions/fullchain.pem (failure)
/etc/letsencrypt/live/hamradio.solutions/fullchain.pem (failure)


2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: cloud9.hamradio.solutions
    Type: connection
    Detail: Fetching
    http://cloud9.hamradio.solutions/.well-known/acme-challenge/R9bUYjiYO4dHHWHVRIr6OY3b2IlaWNuKOjdobnVg9jM:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • The following errors were reported by the server:

    Domain: cloud9.hamradio.solutions
    Type: connection
    Detail: Fetching
    http://cloud9.hamradio.solutions/.well-known/acme-challenge/fzWfYzy_9jFPTGjhnx3yBODj8ngx4SWpr87_QbUfgV0:
    Timeout during connect (likely firewall problem)

    Domain: hamradio.solutions
    Type: connection
    Detail: Fetching
    http://hamradio.solutions/.well-known/acme-challenge/xNOogavNezdd4J1uUfZUSZNXhTBPXTU_ZTgTH2j7V4w:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): apache

The operating system my web server runs on is (include version):
Linux ubuntu 5.4.0-73-generic #82~18.04.1-Ubuntu SMP Fri Apr 16 15:10:02 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.15.0

2 Likes

First of all, the certificate with the name "cloud9.hamradio.solutions" which is a certificate just for the hostname cloud9.hamradio.solutions is redundant: your certificate with the name "hamradio.solutions" also contains that hostname. I recommend using and keeping just that latter certificate with the hostnames hamradio.solutions and cloud9.hamradio.solutions and (after making sure it's not in use any longer) delete the certificate with the name "cloud9.hamradio.solutions".

Further, port 80 is required to be open for the http-01 challenge. It seems to be closed now, while port 443 is open. However, only port 443 is not enough for the challenge.

2 Likes

It might be working for you, but your site on port 80 is not accessible on the Internet (or at least, Let's Encrypt's servers can't get to them per your error message, and I can't get to them from my system either.) You mention a "cable modem", so my wild guess is that your ISP blocks systems outside of their network from getting to your port 80.

This recent post was also from somebody using Cox Internet:

2 Likes

Thanks for the quick replies. The reason http works for me is it looks like Cox is filtering port 80 upstream from my cable modem. It works locally, but not if I come in using my phone. I may be having to upgrade my connectivity or find another ISP as this worked when I originally created the certs.

2 Likes

Without port 80 perhaps you could look into the dns-01 challenge. That would require access to your DNS zone however. And an automated approach is highly recommended.

2 Likes

Thanks all, but I'm just going to switch to business class cable modem service where they don't block the ports. Cox claims they block port 80 to protect people from virus/worms. My opinion is that they just want to force people into business class services.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.