Letsencrypt Timeout reasons

Posted on

Problem :

I am having problems when renewing my letsencrypt certificate.
I am using nginx and certbot for renewal.

Output is the following:

Attempting to renew cert from /etc/letsencrypt/renewal/example.com.conf 
produced an unexpected error:
Failed authorization procedure. example.com (http-01): urn:acme:error:connection :: 
The server could not connect to the client to verify the domain :: 
Fetching http://example.com/.well-known/acme-challenge/AUStfngCwdGL8Hel2jR0jG4wLZZjXi-s7AypLNWrECo: 
Timeout. Skipping.

Most peculiar my nginx – access log does not report any access at all whatsoever.

From the letsencrypt log:

2017-09-18 18:27:34,331:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/example/.well-known/acme-challenge
2017-09-18 18:27:34,334:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/example/.well-known/acme-challenge/AUStfngCwdGL8Hel2jR0jG4wLZZjXi-s7AypLNWrECo
2017-09-18 18:27:34,335:INFO:certbot.auth_handler:Waiting for verification...

If I create /var/www/example/.well-known/acme-challenge/AUStfngCwdGL8Hel2jR0jG4wLZZjXi-s7AypLNWrECo manually and connect via firefox, I can connect without problems. Also then the nginx-access log gets filled.
Nginx error log is empty in both cases.

In case it is of help, my nginx config for the site looks like this:

server {
listen 80;
listen [::]:80;

server_name example.com;

location /.well-known {
    root /var/www/example;

location / {
    return 301 https://$server_name$request_uri;


server {

listen 443 ssl;
listen [::]:443 ssl;


Honestly I am not really sure where to find any more clues as to what might be the matter.
Any of you have some ideas?

Solution :

So far I got messages like The server could not connect to the client to verify the domain :: only if the my DNS changes weren’t propagated to all DNS servers yet.

When you connect via Firefox to example.com/.well-known/ you are really go over the internet or is the address only known on your network?

If you do a dig @ example.com, is the name resolved to to the correct IP address?

Leave a Reply

Your email address will not be published. Required fields are marked *