Unable to get a new nert

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sos.mg

I ran this command: sudo certbot --nginx -d ap.sos.mg

It produced this output:
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: ap.sos.mg
Type: connection
Detail: 41.204.107.135: Fetching http://ap.sos.mg/.well-known/acme-challenge/6iJPOfYV_Bs1yYKjHRkcXZ9rYIAXyL-wnfsDQIlsBrY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version): nginx/1.22.1

The operating system my web server runs on is (include version): debian 12

My hosting provider, if applicable, is: ovh

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

ps: i use pfsense firewall with open port 80 nat-ted to the physical server

Hi @mgy0p, and welcome to the LE community forum :slight_smile:

hmm...
Either this is NOT your IP:

OR
You are using some sort of IP blocking system.
Perhaps GeoLocation based.
I get a long delay [about 12 seconds] and then "reset":

curl -Ii ap.sos.mg
curl: (56) Recv failure: Connection reset by peer
3 Likes

For some reason your timeouts are always ending in a connection reset by peer error, I noticed. Whereas other users including myself would get an actual timeout error.

2 Likes

Hello @mgy0p,

Port 80 is filtered; you need Port 80 Open and accessible for the HTTP-01 challenge
Best Practice - Keep Port 80 Open

$ nmap -Pn -p80,443 ap.sos.mg
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-03 21:44 UTC
Nmap scan report for ap.sos.mg (41.204.107.135)
Host is up (0.34s latency).
rDNS record for 41.204.107.135: static-107-135.blueline.mg

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 5.80 seconds
1 Like

And from around the world Permanent link to this check report gets "Connection timed out" for Port 80.

1 Like

And using this online tool Let's Debug yields https://letsdebug.net/ap.sos.mg/1757392

ANotWorking
ERROR
ap.sos.mg has an A (IPv4) record (41.204.107.135) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
A timeout was experienced while communicating with ap.sos.mg/41.204.107.135: Get "http://ap.sos.mg/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://ap.sos.mg/.well-known/acme-challenge/letsdebug-test (using initial IP 41.204.107.135)
@0ms: Dialing 41.204.107.135
@10001ms: Experienced error: context deadline exceeded
IssueFromLetsEncrypt
ERROR
A test authorization for ap.sos.mg to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
41.204.107.135: Fetching http://ap.sos.mg/.well-known/acme-challenge/vLB-KuLk9NMPMkR-aq1u5jirv21iUjc9gZuRCbHhcZA: Timeout during connect (likely firewall problem)

Please take note of the line "41.204.107.135: Fetching http://ap.sos.mg/.well-known/acme-challenge/vLB-KuLk9NMPMkR-aq1u5jirv21iUjc9gZuRCbHhcZA: Timeout during connect (likely firewall problem)"

Also stated here

1 Like

Many thanks for you replies. I solve the issues by myself as according to your remarks, the main problem was the firewall configuration. The port forwarding was incorrect so it remain on timeout issue.
It's fix now and I go my domain certified

Certificate is saved at: /etc/letsencrypt/live/ap.sos.mg/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/ap.sos.mg/privkey.pem```

Many thanks

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.