Verify Timeout for some domains

These sites stopped updating for some reason. The last successful access by letsencrypt is shown.
During the verification process letsencrypt make no access to my web server successful or error). Letsencrypt just says ‘timeout’. I have other sites, configured the same on the same server which are still working.

The only thing I can think that might affect this of is that I changed the configuration from using DNS verification to http verification (because secondary DNS servers were too slow to update). But that was a few months before these failures started.

Note that I use getssl v2.10 (latest version) to manage my certs.

My domains affected are: codehunter.ruaraidh.eu (26Nov17)
www.lingbrae.uk (20Nov17)
www.sanpolo.org (18Jan18)

I ran this command:
getssl -w
It produced this output:
Registering account
Verify each domain
Verifying codehunter.ruaraidh.eu
copying challenge token to /etc/ssl/acme/.well-known/acme-challenge/YD-P3bZH2RA9_R61eywc6KxcL-GbEcld0wJXAq6Pr24
Pending
Pending
Pending
getssl: codehunter.ruaraidh.eu:Verify error: "Fetching http

My web server is (include version):
nginx nginx/1.6.2
The operating system my web server runs on is (include version):
Linux 4.9.0-1-amd64 #1 SMP Debian 4.9.6-3 (2017-01-28) x86_64 GNU/Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

I would appreciate some understanding of this problem and help to resolve.

Many thanks

Is that the full error?

I can give the debug output if that would help

Yes, it definitely would.

Edit: I can’t load that fouter.net link, connect just times out.

Download from

www.fouter.net/codehunter.debug.log

I hope that works; It’s quite long.

sorry, I forgot to set the debug flag. I’ll do it again.

try again, I’ve updated it.

Delete the link, it is exposing your ACME account key. Sorry, I did not know getssl did something so incredibly reckless.

Oops That’s bad news.

So here is the authz that failed: https://acme-v01.api.letsencrypt.org/acme/authz/EYlFujWPErYcs_-PMilXBlIuikg0s4VtWdJmT6kfAx4

We can see that the full error is:

"Fetching http://codehunter.ruaraidh.eu/.well-known/acme-challenge/Mb9JT_ii31TmXOPkmUw4YcQAGaZb2WeF7L-VpLawOA4: Timeout"

I can't actually connect to this host from a couple of networks either (including my home ISP).

From other IPs I can successfully connect.

Do you have any firewall running on the server? From what I can tell Let's Encrypt can connect right now, so if you try again it should go through.

Yes, I have a firewall. I tried to update again but it failed.

When you say you can’t access site is that DNS or IP problem?

I do have chinese IP allocations generally blocked. I think letsencrypt use amazonaws so they it should be OK.

Do you know what IP letsencrypt is using for verify?

Was the failure with the timeout message or something else?

I don’t think Let’s Encrypt validating IPs come from AWS, rather from Viawest (but even that is not dependable). You can’t reliably whitelist Let’s Encrypt IPs.

I (personally) can’t access 91.135.5.234 with a connection timeout, from some locations (none of which are China).

Can you try without the firewall?

Edit: I can suddenly access the server …

OK, that seems to be the problem. The IP they’re using is 64.78.149.164 which is in spam block list - Spamhaus Zen

Another bummer. I’ll have to think about that.

Many many thanks for your help. Just having a remote site is incredibly useful.

Now I suppose I will have to worry about my account key as well.

In my experience Spamhaus is worse than useless (harmful) and imo they should not advertise these lists.

Unfortunately neither getssl nor Certbot seem to support Let’s Encrypt’s flavor of account key roll-over so you may need to find another client or write a script to change your account key, should you wish to do so.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.