1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: contest.walab.info

I ran this command:

sudo certbot certonly --standalone --dry-run -d contest.walab.info

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for contest.walab.info

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: contest.walab.info
  Type:   connection
  Detail: 203.252.112.50: Fetching http://contest.walab.info/.well-known/acme-challenge/arYtgzKOGv0nM5-b5TzK-ZLaejcLFF4jnun2ECD_ix4: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
No web server installed

The operating system my web server runs on is (include version):
`Ubuntu Server 24.04 LTS"

My hosting provider, if applicable, is:
School server room

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.9.0 (from apt)
certbot 3.0.1 (from snap)

Hi there.

I have a problem on getting certificate using certbot.

I checked that my 80 port is open (and connectable), the dns propagated well, there are no webservers running or programs binding to 80 port.

I even confirmed that I can connect to contest.walab.info/.well-known/acme-challenge/<token> using wget, on mobile phone hotspot.

(I use "grep "token": " to log file when the certbot starts running. So I tried manual connection tests.)

But the certbot keep saying that there are timeouts during connect.

I don't know why this issue keep occus. Hope I got help from here!

Thanks.

1 Like
2

How did you check the latter? From within the same network as the server? Because I'm also getting a time out and so is Let's Debug. Please check the connectivity to your webserver using e.g. your phone over 3/4/5G instead of WiFi.

Edit:

Hm, so from outside of your network it seems? That's weird.

1 Like
3

Yes, I tried this about 5 times and it works on every try, even on outside network.

4

Well, some online tools I tested also can't connect, from all around the world. So somewhere there is a blockade.

A traceroute using TCP port 80 has 220.89.143.2 as the last responding host.. Nothing after that.

1 Like
5

I think this is completely normal because there are no web servers or programs running.

I tested the 80 port when the certbot starts running using nmap, on external networks, I confirmed that the port 80 is opened while certbot doing its jobs.

1 Like
6

Not really. If nothing is running on a port, but no firewall is blocking access, one would expect a "connection refused" reply. Not a timeout.

2 Likes
7

Sounds you are right. Seems like this:

could be my school's firewall, let me contact to it department of my school first.

Anyway, thank you for kind answers :slight_smile:

3 Likes
8

It's quite likely a school would limit inbound access to hosts within their network.

3 Likes
9

I think Osiris has gotten you on the right track. But, here is some tips on testing with --standalone option. This may help while checking firewalls and such

===================

The --standalone method is difficult to debug because you need to keep Certbot running to test connection from the public internet.

A way to test this easier is to use these command options

certbot certonly --standalone --dry-run --debug-challenges -v -d (domain)

This command will show you the challenge URL to try from the public internet and the proper response. After showing you this it will say "Press Enter to Continue". DO NOT PRESS ENTER.

Leave it paused like that and use a different device to test connection. You can use a mobile phone with wifi disabled so use your carrier's network.

You do not have to use the full URL. Just try http://(yourdomain)

If the connection works this shorter URL should see a response like below. I am pretty sure you will get a timeout error instead just like Let's Encrypt did. But, use this technique to modify your comms setup until it works.

ACME client standalone challenge solver
5 Likes
10

Thanks for kind answers. I didn't know there are --debug-challenges arguments!

But, I can see the

even on the carrier's network

Screenshot below:

IMG_5718.PNG
IMG_5718.PNG1179×2556 94.1 KB
1 Like
12

I'm keep running the certbot so maybe you can see it too :smiling_face_with_tear:

13

I still can't, neither can Let's Debug just now.

2 Likes
14

I timeout too with curl -i -m7 http://contest.walab.info

Do you have firewall with very narrow geographic restriction? I am trying from US East Coast. Osiris probably from Europe.

4 Likes
15

Well, I just tried a service that tries from a bunch of places and none of them could connect.

4 Likes
16

I can connect from South Korea. So, must be a geographic firewall restricting to just that.

image
image1038×321 94.5 KB
5 Likes
17

:100:

4 Likes
18

Thank you for you guys kind answer :slight_smile:

I tried make connection on Japan, USA, and Spain using vpn and I see the connection is timed out.

As @MikeMcQ said, I also think there must be a firewall which reject connection from outside.

For now, I think I should use another certificate providers.

You guys helped me a lot. Thanks!

3 Likes
19

Can't you use the dns-01 challenge instead of the http-01 challenge you're currently using? Usually, DNS is less shielded. It's also possible to use CNAME RRs (or NS RRs) to relay the validation requests to a location which is more easily for you to control.

3 Likes
20

Hi, and sorry for late check :smiling_face_with_tear:

I just contacted to IT dept and they helped me to add "TXT record" for current domain!

Thank you :slight_smile:

2 Likes
21

Curious, was this a manual operation? As in you got the challenge token from certbot, and told the IT dept to place it in DNS?

2 Likes