Letsencrypt "Timeout during connect (likely firewall problem)" - but ports are open

LSIO Discussion Container Support
1

Hello

I’m trying to perform an http validation and am receiving a “Timeout during connect (likely firewall problem)” error. Here’s the configuration:

  • OS: OpenMediaVault 4.1 (OMV)
  • Router: ASUS RT-N66U using OpenVPN for DNS service
  • The container is being pulled from “linuxserver/letsencrypt:latest”
  • Domain name (johnzilliox.com) purchased and managed through namecheap.com
  • The A record is assigned to my IP address, and the A record has been tested with dnschecker.org
  • The router has port forwarding configured for 80 and 443 to the server.
  • When I change the OMV web UI to port 80 or 443, it’s externally accessible at johnzilliox.com:80 and johnzilliox.com:443

Here are the commands I’m using to create and start the container:

docker stop letsencrypt

docker container rm letsencrypt

docker network rm letsencrypt

rm -rf /sharedfolders/containers/letsencrypt/*

docker network create letsencrypt

docker create \
  --name=letsencrypt \
  --cap-add=NET_ADMIN \
  --network=letsencrypt \
  -e PUID=1000 \
  -e PGID=100 \
  -e TZ=America/New_York \
  -e URL=johnzilliox.com \
  -e VALIDATION=http \
  -e EMAIL=admin@johnzilliox.com \
  -e ONLY_SUBDOMAINS=false \
  -p 443:443 \
  -p 80:80 \
  -v /sharedfolders/containers/letsencrypt:/config \
  --restart always \
  linuxserver/letsencrypt

docker start letsencrypt

docker logs -f letsencrypt

Here’s what the log looks like:

Summary

[s6-init] making user provided files available at /var/run/s6/etc…exited 0.
[s6-init] ensuring user provided files have correct perms…exited 0.
[fix-attrs.d] applying ownership & permissions fixes…
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts…
[cont-init.d] 01-envfile: executing…
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing…

      _         ()
     | |  ___   _    __
     | | / __| | |  /  \
     | | \__ \ | | | () |
     |_| |___/ |_|  \__/

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/

GID/UID

User uid: 1000
User gid: 100

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing…
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing…
generating self-signed keys in /config/keys, you can replace these with your own keys if required
Generating a RSA private key
…+++++
…+++++
writing new private key to ‘/config/keys/cert.key’

[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing…
Variables set:
PUID=1000
PGID=100
TZ=America/New_York
URL=johnzilliox.com
SUBDOMAINS=
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=admin@johnzilliox.com
STAGING=

Created donoteditthisfile.conf
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…+…++++++++
DH parameters successfully created - 2048 bits
No subdomains defined
E-mail address entered: admin@johnzilliox.com
http validation is selected
Generating new certificate
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: “is” with a literal. Did you mean “==”?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: “is” with a literal. Did you mean “==”?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: “is” with a literal. Did you mean “==”?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: “is” with a literal. Did you mean “==”?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:260: SyntaxWarning: “is” with a literal. Did you mean “==”?
if original_result is 0:
/usr/lib/python3.8/site-packages/digitalocean/LoadBalancer.py:19: SyntaxWarning: “is” with a literal. Did you mean “==”?
if type is ‘cookies’:
/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py:65: SyntaxWarning: “is” with a literal. Did you mean “==”?
if self.email is ‘’ or self.token is ‘’:
/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py:65: SyntaxWarning: “is” with a literal. Did you mean “==”?
if self.email is ‘’ or self.token is ‘’:
/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py:89: SyntaxWarning: “is” with a literal. Did you mean “==”?
if self.email is ‘’ or self.token is ‘’:
/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py:89: SyntaxWarning: “is” with a literal. Did you mean “==”?
if self.email is ‘’ or self.token is ‘’:
/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py:113: SyntaxWarning: “is” with a literal. Did you mean “==”?
if self.certtoken is ‘’ or self.certtoken is None:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for johnzilliox.com
Waiting for verification…
Challenge failed for domain johnzilliox.com
http-01 challenge for johnzilliox.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: johnzilliox.com
    Type: connection
    Detail: Fetching
    http://johnzilliox.com/.well-known/acme-challenge/IkP86S5nViIBXuihIvPVPPWXJZfAx2AUO8CktrHYkh8:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
    ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

To me, the fact that I can reach the OMV web UI when it’s on 80 and 443 means that it shouldn’t be a communication issue between letsencrypt and the server. I’d really appreciate any kind of help here. Thanks!

2

can you provide some logs? To clarify some, you are not normally running OMV on port 80 or 443, is that correct? So there is no port conflict?

let’s see your docker logs letsencrypt output please

3

Thanks for the reply. Yes, the OMV web UI has been changed to a port that isn’t 80 or 443. I only temporarily tested the ports with that service.

I tried to post another log, but I’m getting the error “Sorry, new users can only put 2 links in a post”, and apparently only images can be uploaded as attachments. Could you take a look at the log in the original post? I think that’s the full log. It’s just before the last paragraph, under “Summary”.

4

I apologize, i completely missed your logs there!

Nothing is really standing out to me, I am assuming that the public IP for your router is currently i decided to delete this and assume your A record is correctly pointed to your actual router IP and that you are allowing ports 80 and 443 through your firewall in addition to destination nat for ports 80 and 443 to your docker host on your LAN? based on your previous comments, I think you are since you said when you put 80/443 on your OMV host itself, you can get to the GUI.

I would suggest running through https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/ and then joining us on discord to discuss in a more live manner.

5

Damn, I’m afraid to report that this is a case of port 80 being blocked by my ISP. Somewhat shamefully, I didn’t catch it because of hairpin NAT/NAT loopback. I should’ve been testing from a device not on the local wifi.

443 is not being blocked. Is it possible to use 443 for the http portion of the http-01 challenge?

Thanks

6

No, but you can do dns or duckdns validation (no ports required), then use 443 to access your server via https