Unable to connect to to client

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: francoisvalscaleway.ddns.net

I ran this command: certbot renew

It produced this output:

FailedChallenges: Failed authorization procedure. francoisvalscaleway.ddns.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://francoisvalscaleway.ddns.net/.well-known/acme-challenge/asNWGJLrMaBD5uHgrRBpk7GDPnbFk1TzR7Gka0zxLfM: Timeout during connect (likely firewall problem)

My web server is (include version): apache 2.4.29

The operating system my web server runs on is (include version): ubuntu bionic

My hosting provider, if applicable, is: scaleway

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Can somebody helps on this problem ? Ports 80 and 443 are opened in iptables, I find this in the debug log:

{
“identifier”: {
“type”: “dns”,
“value”: “francoisvalscaleway.ddns.net
},
“status”: “invalid”,
“expires”: “2020-04-16T11:01:07Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://francoisvalscaleway.ddns.net/.well-known/acme-challenge/asNWGJLrMaBD5uHgrRBpk7GDPnbFk1TzR7Gka0zxLfM: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/3855556769/zo0e1w”,
“token”: “asNWGJLrMaBD5uHgrRBpk7GDPnbFk1TzR7Gka0zxLfM”,
“validationRecord”: [
{
“url”: “http://francoisvalscaleway.ddns.net/.well-known/acme-challenge/asNWGJLrMaBD5uHgrRBpk7GDPnbFk1TzR7Gka0zxLfM”,
“hostname”: “francoisvalscaleway.ddns.net”,
“port”: “80”,
“addressesResolved”: [
“51.158.79.57”
],
“addressUsed”: “51.158.79.57”
}
]
}
]
}
2020-04-09 13:01:25,244:DEBUG:acme.client:Storing nonce: 01018alq7jWls0cSsCmfgpxcZFKY3NjLf6vl7Qlfo-_fmeQ
2020-04-09 13:01:25,245:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: francoisvalscaleway.ddns.net
Type: connection
Detail: Fetching http://francoisvalscaleway.ddns.net/.well-known/acme-challenge/asNWGJLrMaBD5uHgrRBpk7GDPnbFk1TzR7Gka0zxLfM: Timeout during connect (likely firewall problem)

Hi @FrancoisVal

checking your domain via https://check-your-website.server-daten.de/?q=francoisvalscaleway.ddns.net - that works:

Domainname Http-Status redirect Sec. G
http://francoisvalscaleway.ddns.net/ 51.158.79.57 GZip used - 3138 / 10918 - 71,26 % 200 Html is minified: 223,78 % 0.086 H
https://francoisvalscaleway.ddns.net/ 51.158.79.57 GZip used - 3138 / 10918 - 71,26 % Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 1/2866 200 Html is minified: 223,78 % 2.686 B
http://francoisvalscaleway.ddns.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 51.158.79.57 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 100,00 % 0.067 A
Not Found
Visible Content: Not Found The requested URL was not found on this server. Apache/2.4.29 (Ubuntu) Server at francoisvalscaleway.ddns.net Port 80

Port 80 answers.

So if you see that error message, looks like a regional firewall that blocks some ip addresses used by Letsencrypt.

It was indeed some kind of regional firewall. I am using ipset available on https://www.ipdeny.com/, and the adresses used by letsencrypt are included in the file for the US. I disabled the iptables rule based on that set and my certificates could be renewed.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.