Updated cerbot client 0.40 -> 1.32.2 and http challenge fails

I ran this command: sudo certbot -v certonly --webroot -w /var/www/dev.pirkanmaa.fi/html/.well-known/acme-challenge/ -d dev.pirkanmaa.fi --dry-run

It produced this output:

Fetching http://dev.pirkanmaa.fi/.well-known/acme-challenge/Ue9OvUFudTNdS4Yx-AKK3-TkIS73_kecRO_RViy-IEs: Timeout during connect (likely firewall problem)

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04.5 LTS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.32.2

Hi,

I have access to http://dev.pirkanmaa.fi/.well-known/acme-challenge/test.html and firewall rules for NGINX full is present.

Your firewall is blocking port 80 or there is nothing listening on that port. That in itself is probably unrelated to upgrading certbot unless you previousl had renewal hook to open your firewall.

3 Likes

Hi, thanks for the quick reply.
I did ran lsof -n -i:80 to find out whether the 80 port is listened:
lsof -n -i:80

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 28734 www-data 8u IPv4 28701 0t0 TCP *:http (LISTEN)
nginx 28734 www-data 9u IPv6 28702 0t0 TCP *:http (LISTEN)

And UFW status has both 80 and 443 opened.

If your machine is hosted in a cloud hostting platform check the network rules there as well. If I try to browse to http://dev.pirkanmaa.fi/ it does not connect (I'm in Australia), also sure you don't block geographically as Let's Encrypt could be validating your domain from a different country.

Try an online tool to check your site from different countries.

5 Likes

Hi, that could be it. We had issues with dos attacks and we blocked all except EU.

I need to ask service provider to relax the blockade.

Either that or use DNS validation (or acme-dns etc) instead, that way you can get your cert even without having ports open.

4 Likes

DNS validation sounds even better, i will look into it.

1 Like

Hi, webprofusion. Thank for your assistance. Our country block was one piece of puzzle and it help us to right direction. I had valuable help from our service provided and now it is working.

Take note that there is nginx pearl module (50-mod-http-perl.conf) which needs to be removed. For some reason it interferes with certbot and nginx. Is there some way I can boost your rep or something?

2 Likes

Here, you can mark a post as a "solution" and give posts "likes".
You could also create a topic in "Praise" category if you think anything/anyone merits that much too.

Outside of here... is the rest of Internet - I'm not going to even try covering all that - LOL

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.