Verify error: During secondary validation: Fetching .. timeout

Help
1

My domain is: gitlab.fkti.etu.ru
I try dehydrate with tls-alpn-01

ERROR: Challenge is invalid! (returned: invalid) (result: [type] tls-alpn-01
[status] invalid
[error,type] urn:ietf:params:acme:error:connection
[error,detail] During secondary validation: 194.85.169.149: Timeout during connect (likely firewall problem)
[error,status] 400
[error] {type:urn:ietf:params:acme:error:connection,detail:During secondary validation: 194.85.169.149: Timeout during connect (likely firewall problem),status:400}
[url] https://acme-v02.api.letsencrypt.org/acme/chall-v3/171275394257/V8alYQ
[token] zbY9vJA23ePnu-L9La1f5exOljnUTzMPgYkoA46rWNM
[validationRecord,0,hostname] gitlab.fkti.etu.ru
[validationRecord,0,port] 443
[validationRecord,0,addressesResolved,0] 194.85.169.149
[validationRecord,0,addressesResolved] [194.85.169.149]
[validationRecord,0,addressUsed] 194.85.169.149
[validationRecord,0] {hostname:gitlab.fkti.etu.ru,port:443,addressesResolved:[194.85.169.149],addressUsed:194.85.169.149}
[validationRecord] [{hostname:gitlab.fkti.etu.ru,port:443,addressesResolved:[194.85.169.149],addressUsed:194.85.169.149}]
[validated] 2022-11-01T19:24:15Z)

Also try certbot 1.31.0
with http-01 I see two requests

3.67.67.222 - - [01/Nov/2022:19:59:45 +0300] "GET /.well-known/acme-challenge/C26Cb01tFxiC7PhRL5F2G-EgpJanUonk1jvc43JLqLw HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's En$
23.178.112.208 - - [01/Nov/2022:19:59:46 +0300] "GET /.well-known/acme-challenge/C26Cb01tFxiC7PhRL5F2G-EgpJanUonk1jvc43JLqLw HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let'

19:44:43,464:DEBUG:certbot._internal.display.obj:Notifying user: Certbot failed to authenticate some domains (authenticator: nginx). The Certificate
Authority reported these problems:
Domain: gitlab.fkti.etu.ru
Type: connection
Detail: During secondary validation: 194.85.169.149: Fetching
http://gitlab.fkti.etu.ru/.well-known/acme-challenge/UK11SEFBVf4BmlIg5vTs0RcK7rC7jTshay4AO62vx_c: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx
server and that it is accessible from the internet.

Is any solution to resolve this?

2

Hello @Bosk, welcome to the Let's Encrypt community. :slightly_smiling_face:

Here is a list of issue certificates for crt.sh | gitlab.fkti.etu.ru, the latest being 2022-08-02.
However https://letsdebug.net/ with TLS-ALPN-01 is showing an error here Let's Debug

And HTTP-01 fails with 2 errors here Let's Debug
Best Practice - Keep Port 80 Open

1 Like
3

The errors reported by Let's Debug are probably due to the webserver being stopped at the moment. I don't think it's going to be related to the reported issue.

You should see 4. Do you have any kind of firewall which uses a local or cloud blocklist? fail2ban? Let's Encrypt validates from a number of AWS and other IP addresses.

If you try the same process on another webserver without this issue, you might be able to see what the IPs are at the moment.

5 Likes
4

It's because I stop it. Let's Debug

1 Like
5

I don't have any fail2ban/blocklist. But my internet provider can have such limits.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.