Certbot errors : timeout during connect

abbeytekmd · February 7, 2022, 9:09am

My server is really struggling with certificates. The provision button gives the following errors:

Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Performing the following challenges: http-01 challenge for abbeytek.com http-01 challenge for autoconfig.abbeytek.com http-01 challenge for autodiscover.abbeytek.com http-01 challenge for mta-sts.abbeytek.com http-01 challenge for www.abbeytek.com Using the webroot path /home/user-data/ssl/lets_encrypt/webroot for all unmatched domains. Waiting for verification... Cleaning up challenges Failed authorization procedure. www.abbeytek.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.abbeytek.com/.well-known/acme-challenge/sIjySOVpxGnGVxighjhFGw_DRgWTPExRDchbxfH0gl8: Timeout during connect (likely firewall problem) IMPORTANT NOTES: - The following errors were reported by the server: Domain: www.abbeytek.com Type: connection Detail: Fetching http://www.abbeytek.com/.well-known/acme-challenge/sIjySOVpxGnGVxighjhFGw_DRgWTPExRDchbxfH0gl8: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.

This is a mailinabox server, latest version. I enabled the owncloud admin using the tools script.

If I create the .well-known/acme-challenge folder myself (in user-data/ssl/lets_encrypt/webroot) and put something in it, then access it with the http url, it comes up fine so not sure why I can see these files but LE can’t.

mveplus · February 7, 2022, 1:42pm

Hi abbeytekmd,
Looks like you have some modifications done to the standard MIAB setup? Is this an exisiting upgrade or new install? From the logs of letsencrypt provided it does not look like letsencrypt issue, see these lines:

You still have time to fix it TLS : Expires: Monday, 21 February 2022 at 15:25:20 Greenwich Mean Time

Make sure you have a working backup first! What heppens if you rerun “Re-configure the box” ?

sudo mailinabox

Cheers,
Martin

abbeytekmd · February 7, 2022, 2:12pm

Thanks, Martin. I installed it a couple of months ago but the cert stuff has never worked from the admin panel. I did manage to get my initial certificates by fiddling about in the command line with certbot but cannot reproduce this. The only mod I did was enable the owncloud admin and install a couple of apps (rainloop, groups)

I recently upgraded to the newly released version of MIAB but that didn’t seem to change anything with this issue.

I’ve just done a “sudo mailinabox” and it all seemed fine, reinstalling stuff, no warnings or errors. No difference though. Everything else still seems to work fine.

There must be many people using this feature so you’re probably right that it’s not the config, but I can’t see anything wrong with the domain or the router.

I’m using MIAB to be the DNS server on my domain with all the defaults set and it all looks fine: there’s an A record to my IP and no AAAA records. The NAT on my router is fine for port 80 and 443 and I can get to the website (it’s a redirect but I see the page that does the redirect loads fine) on both http and https.

mveplus · February 7, 2022, 4:15pm

Looks like it’s related to the public/private redirects and that SSL scripts may expect you to have a public address. How you do the redirects DNAT or DMZ on the router?
Are you happy for me to run a full scan on your host to see if all required ports are visible from the Internet? What is the report on the MIAB status page looks like?

abbeytekmd · February 7, 2022, 4:33pm

The redirect is done client side in the top level index.html, so accessing www.abbeytek.com loads the index.html file which has a <meta http-equiv=“refresh” …> in it so I can’t see how it might interfere, although i’m not ruling it out.

Sure, please, scan away. Anything you can see would be most helpful.

The status page is all green except some amber warnings about DNSSEC and a red warning about the reverse dns being incorrect.

system · March 19, 2022, 4:34pm

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.