Let's Encrypt Connection timed out

riba · February 3, 2020, 10:35am

Suddenly LE stopped working. It won’t renew or create new certificate. It creates .well-known dir and I can access it from web. Here is error log:

Traceback (most recent call last): File "/usr/share/webmin/webmin/acme_tiny.py", line 198, in <module> main(sys.argv[1:]) File "/usr/share/webmin/webmin/acme_tiny.py", line 194, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact) File "/usr/share/webmin/webmin/acme_tiny.py", line 143, in get_crt raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e)) ValueError: Wrote file to /home/levis/domains/valti.si/public_html/.well-known/acme-challenge/OOMWbo3eMGydMzNmmHngoWt7Otm4X9D53F7jCBe15i0, but couldn't download http://valti.si/.well-known/acme-challenge/OOMWbo3eMGydMzNmmHngoWt7Otm4X9D53F7jCBe15i0: Error: Url: http://valti.si/.well-known/acme-challenge/OOMWbo3eMGydMzNmmHngoWt7Otm4X9D53F7jCBe15i0 Data: None Response Code: None Response: <urlopen error [Errno 110] Connection timed out>

I just can’t find solution. Please help. Thanks!

Joe · February 4, 2020, 8:38am

The error seems clear? The Let’s Encrypt validation server can’t reach that file on your server. Could be a variety of causes. Maybe DNS doesn’t resolve to the right IP, maybe your web server isn’t running, maybe you’ve got an application or redirect rule or proxy rule sucking up requests and so it can’t reach that file.

Make sure that directory (.well-known) is reachable on your server, and Let’s Encrypt validation will probably work.

riba · February 4, 2020, 8:48am

Yes it’s clear and I tried pinging and curl LE servers and it’s ok. I can also open .well-known from web. Here is one that fails to renew. There are two files in acme-challenge, is that ok? http://www.kult.si/.well-known/acme-challenge/SA7wA1slM3AbFZJ5H87-NfCRyqbVRhqWikBNxOqov3g

riba · February 4, 2020, 2:47pm

How much time does normally take to request new certificate? When I started using LE (in Virtualmin) few year ago it took few seconds. Lately it took few minutes. Was this normal or is it maybe a part of my problem which I am facing now? My server is behind Fortinet gateway and I am waiting for administrator to turn off SSL inspection to try if it’s maybe connected to my problem.

unborn · February 4, 2020, 6:55pm

it is stated on le website - just read it. I think but cannot say for sure, it should be full 5 working days, if not sure check it on their website or error logs on your server.

riba · February 5, 2020, 8:21am

Reinstalled Certbot and problem is fixed. And now it takes 5 seconds to renew, before this error it took few minutes always… idk what that was. Thanks anyway.

unborn · February 9, 2020, 2:13pm

hi, with updated to debian 10 today I discovered that apt install certobot is no option - gave me tons of email about fails… if you updated your distro , can you check it out again please and let me know? massive thanks

riba · February 9, 2020, 2:31pm

Hi, I am on Ubuntu 16.04 (Xenial) and will wait with upgrade for few months…