Description: You might encounter this issue when trying to renew the certificate using certbot.
Detail:20.14.5.20: Fetchinghttp://yourdomain.com/.well-known/acme-challenge/T49aGEx1qVb4M691qSTrZYtR7yFRpHOtPB3Kjl3iE8I:
Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the challenge files from the
temporary standalone webserver started by Certbot on port 80.
Ensure that the listed domains point to this machine and that it can accept
inbound connections from the internet.
Or
DEBUG:acme.standalone:Successfully bound to :80 using IPv6
DEBUG:acme.standalone:Certbot wasn’t able to bind to :80 using IPv4,
this is often expected due to the dual stack nature of IPv6 socket implementations.
Solution: Ensure port 80 is open for Certbot traffic, not in the Access Server itself but in the path that traffic takes.
Troubleshooting:
1. Confirm the error by reviewing the log for error messages similar to those listed above:
cat /var/log/letsencrypt/letsencrypt.log
2. Check if port 80 is used for any application on your Access Server host:
netstat -anlp|grep ":80"
You should receive an empty output if there is no process that uses port 80 on your host.
If you see something like:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1099251/nginx
it means that your host has application that already uses port 80. At the last column you can see PID and name of this application.
3. Troubleshoot using TCP dump:
To install tcpdump tool from repositories:
-For Ubuntu/Debian OS
apt install tcpdump
-For CentOS/RHEL
yum install tcpdump
After installation, you can run a command such as the one below to capture packets sent to port 80 (to interrupt the capturing and end the dump, press Ctrl+C):
tcpdump -ni any port 80
If you see an empty output it means that tcpdump is not able to capture any packets to port TCP80. It can indicates that there is no software that listens port 80 on the host or no active traffic at the moment on the host or traffic is blocked.
If you see packets in the output, pay attention on the destination address: if it is IP of your Access Server host - most probably you have some web-server on the host.
4. Ensure sure that port 80 is really open by launching a simple HTTP server on the Access Server host and then to browse it:
mkdir /tmp/tempweb/
echo "Port 80 is open" > /tmp/tempweb/index.html
cd /tmp/tempweb/
sudo python3 -m http.server 80
And then go to (http) http://yourdomain.com.
If everything is OK client should be able to see text "Port 80 is open"
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.