Verify error: During secondary validation: Fetching .. timeout

letsencrypt reports timeout error. Nevertheless, I can see in httpd logs successful fetches
of challenge:

185.207.91.217 - - [30/Sep/2020:14:20:23 +0400] "GET /.well-known/acme-challenge/pQM4gBRblCX8Bizhx2j4uiWTGMTzPqk5c5hXTEdETRc HTTP/1.1" 200 87 "-" "getssl/2.20"
66.133.109.36 - - [30/Sep/2020:14:20:27 +0400] "GET /.well-known/acme-challenge/pQM4gBRblCX8Bizhx2j4uiWTGMTzPqk5c5hXTEdETRc HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.224.20.83 - - [30/Sep/2020:14:20:28 +0400] "GET /.well-known/acme-challenge/pQM4gBRblCX8Bizhx2j4uiWTGMTzPqk5c5hXTEdETRc HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Even 3 from different IPs. It looks like letsencrypt dropped them at its side.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: shower.inr.ac.ru

I ran this command: getssl -a

It produced this output: Check all certificates
Registering account
Verify each domain
Verifying shower.inr.ac.ru
copying challenge token to /var/www/html/.well-known/acme-challenge/pQM4gBRblCX8Bizhx2j4uiWTGMTzPqk5c5hXTEdETRc
sending request to ACME server saying we're ready for challenge
checking if challenge is complete
Pending
checking if challenge is complete
Pending
checking if challenge is complete
getssl: shower.inr.ac.ru:Verify error: "detail": "During secondary validation: Fetching http://shower.inr.ac.ru/.well-known/acme-challenge/pQM4gBRblCX8Bizhx2j4uiWTGMTzPqk5c5hXTEdETRc: Timeout during connect (likely firewall problem)",

My web server is (include version): apache 2.2.15

The operating system my web server runs on is (include version): linux sl6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): getssl

You should receive 4 HTTP requests from Let's Encrypt's user agent.

The pimary request has to succeed (66.133.109.36, which it did), and 2/3 of the secondary requests have to succeed as well.

In your case, it looks like only 1/3 of the secondary requests succeeded.

Are you blocking any AWS IP addresses on your server?

If you try again, is the failure consistent?

1 Like

See:

And:

I see. No, shower.inr.ac.ru is public server, not using firewall at all. Provider also does not firewall. I tested access to challenge from US, Singapore and Italy. No problems. In theory it is possible that letsencrypt servers are blocked by Big F..g Russian firewall, some parts of AWS might be in their blacklist. It is very unlikely though, lots of people would see this problem.

Yes, the failure is persistant for the last 24 hours.

Is it known what addresses are used by letencrypt? I could check them against russian blacklist.

I am going also to chack another servers in my network. All of them still have valid certificates, so the problem will not be exposed for a few months.

Read the FAQ I linked to above.

I tried checking these, which I took from my logs just now, against the Roskomnadzor blacklist but none got hits:

  • 66.133.109.36
  • 34.209.232.166
  • 3.128.26.105
  • 52.28.236.88

But keep in mind, these IPs all change frequently.

1 Like

Thank you a lot! Problem solved.

Indeed, two of these addresses used to be blacklisted in Russia in the past. Now they are not.
But "workaround", which I configured to route them via bypass, was not removed. My fault entirely.

Thank you again!

1 Like