Can not set https Timeout during connect

bjdaijun · January 13, 2021, 5:36am

1. Caddy version (`caddy version`):

2.1

2. How I run Caddy:

systemctl start

a. System environment:

centos7

b. Command:

paste command here

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:

:80 {
        file_server
        root * /usr/share/nginx/html
        handle_path /api/* {

                reverse_proxy http://localhost:8070

        }

}
dcmzyl.decheng.gov.cn {

        handle_path /api/* {

                reverse_proxy http://localhost:8070

        }

}

http://dcmzyl.decheng.gov.cn {
        file_server
        root * /home/daijun/html



}

3. The problem I’m having:

{“level”:“error”,“ts”:1610515768.7723167,“logger”:“tls.issuance.acme.acme_client”,“msg”:“challenge failed”,“identifier”:“MYDEMOHOST.com”,“challenge_type”:“http-01”,“status_code”:400,“problem_type”:“urn:ietf:params:acme:error:connection”,“error”:“Fetching http://MYDEMOHOST/.well-known/acme-challenge/mhUfohCxKk0zwHHk59rHeYOAOKm8bLN6DuPbUKZU7pI: Timeout during connect (likely firewall problem)”}

4. Error messages and/or full log output:

Jan 13 14:09:46 dcqmzj-jjyl-server0002.novalocal caddy[19335]: {“level”:“warn”,“ts”:1610518186.5960596,“logger”:“http”,“msg”:“user server is listening on same interface as automatic HTTP->HTTPS redirects; user-configured routes might override these redirects”,“server_name”:“srv0”,“interface”:“tcp/:80”}
Jan 13 14:09:46 dcqmzj-jjyl-server0002.novalocal caddy[19335]: {“level”:“info”,“ts”:1610518186.596636,“logger”:“http”,“msg”:“enabling automatic TLS certificate management”,“domains”:[“dcmzyl.decheng.gov.cn”]}
Jan 13 14:09:46 dcqmzj-jjyl-server0002.novalocal caddy[19335]: {“level”:“info”,“ts”:1610518186.596791,“logger”:“tls”,“msg”:“cleaned up storage units”}
Jan 13 14:09:46 dcqmzj-jjyl-server0002.novalocal caddy[19335]: {“level”:“info”,“ts”:1610518186.5968645,“msg”:“autosaved config”,“file”:"/var/lib/caddy/.config/caddy/autosave.json"}
Jan 13 14:09:46 dcqmzj-jjyl-server0002.novalocal caddy[19335]: {“level”:“info”,“ts”:1610518186.5968728,“msg”:“serving initial configuration”}
Jan 13 14:09:46 dcqmzj-jjyl-server0002.novalocal caddy[19335]: {“level”:“info”,“ts”:1610518186.606195,“logger”:“tls.obtain”,“msg”:“acquiring lock”,“identifier”:“dcmzyl.decheng.gov.cn”}
Jan 13 14:09:46 dcqmzj-jjyl-server0002.novalocal caddy[19335]: {“level”:“info”,“ts”:1610518186.6063805,“logger”:“tls.obtain”,“msg”:“lock acquired”,“identifier”:“dcmzyl.decheng.gov.cn”}
Jan 13 14:09:46 dcqmzj-jjyl-server0002.novalocal caddy[19335]: {“level”:“info”,“ts”:1610518186.6069002,“logger”:“tls.issuance.acme”,“msg”:“waiting on internal rate limiter”,“identifiers”:[“dcmzyl.decheng.gov.cn”]}
Jan 13 14:09:46 dcqmzj-jjyl-server0002.novalocal caddy[19335]: {“level”:“info”,“ts”:1610518186.6069105,“logger”:“tls.issuance.acme”,“msg”:“done waiting on internal rate limiter”,“identifiers”:[“dcmzyl.decheng.gov.cn”]}
Jan 13 14:09:48 dcqmzj-jjyl-server0002.novalocal caddy[19335]: {“level”:“error”,“ts”:1610518188.2137086,“logger”:“tls.obtain”,“msg”:“will retry”,“error”:"[dcmzyl.decheng.gov.cn] Obtain: [dcmzyl.decheng.gov.cn] creating new order: request to https://acme-v02.api.letsencrypt.org/acme/new-order failed after 1 attempts: HTTP 429 urn:ietf:params:acme:error:rateLimited - Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt (ca=https://acme-v02.api.letsencrypt.org/directory)",“attempt”:1,“retrying_in”:60,“elapsed”:1.607310379,“max_duration”:2592000}

5. What I already tried:

6. Links to relevant resources:

The server behiend firewall, and only 80 and 443 port is open.
And I checked my html directory, there is .no well-known/ directory created.

francislavoie · January 13, 2021, 6:07am

It’s clear you redacted your domain from your Caddyfile, but if you also didn’t have a space between the domain and the {, then things wouldn’t work. Whitespace is important in the Caddyfile.

Our forums rules ask that you do not redact your domain from your Caddyfile, because it’s often relevant to find the problem.

The latest version of Caddy is v2.3.0, so please upgrade.

Caddy doesn’t write that file anywhere to be served from a file server, it just serves it directly from memory (while writing the challenge values to the data directory.

Are you sure your DNS records correctly point to your server’s IP address? Are you sure you don’t have something else in the middle that might be causing a problem?

bjdaijun · January 13, 2021, 6:14am

I surely redact the Caddyfile, And now I copied the original file, this time fully copied not changed.

francislavoie · January 13, 2021, 6:30am

At this point, you’re stuck, because you’ve hit rate limits with Let’s Encrypt.

If you upgrade to Caddy v2.3.0, you’ll benefit from the automatic fallback to ZeroSSL, so it may work for you that way.

But still, it’s clear that there’s a problem somewhere between Let’s Encrypt and Caddy. You’ll need to determine what’s preventing the connection.

bjdaijun · January 13, 2021, 8:35am

After upgrade to Caddy v2.3.0. I got this error:

2021/01/13 08:00:48.470 ERROR tls.issuance.acme.acme_client validating authorization {“identifier”: “dcmzyl.decheng.gov.cn”, “error”: “authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)”, “order”: “https://acme-staging-v02.api.letsencrypt.org/acme/order/17501877/220207608”, “attempt”: 2, “max_attempts”: 3}
2021/01/13 08:00:55.907 INFO tls.issuance.acme.acme_client trying to solve challenge {“identifier”: “dcmzyl.decheng.gov.cn”, “challenge_type”: “http-01”, “ca”: “https://acme.zerossl.com/v2/DV90”}
2021/01/13 08:05:58.290 ERROR tls.obtain will retry {“error”: “[dcmzyl.decheng.gov.cn] Obtain: [dcmzyl.decheng.gov.cn] solving challenges: [dcmzyl.decheng.gov.cn] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/HCsJctYBqMuigzX4pQojCA) (ca=https://acme.zerossl.com/v2/DV90)”, “attempt”: 6, “retrying_in”: 1200, “elapsed”: 3277.043422934, “max_duration”: 2592000}
2021/01/13 08:26:03.503 INFO tls.issuance.acme.acme_client trying to solve challenge {“identifier”: “dcmzyl.decheng.gov.cn”, “challenge_type”: “http-01”, “ca”: “https://acme-staging-v02.api.letsencrypt.org/directory”}
2021/01/13 08:26:15.979 ERROR tls.issuance.acme.acme_client challenge failed {“identifier”: “dcmzyl.decheng.gov.cn”, “challenge_type”: “http-01”, “status_code”: 400, “problem_type”: “urn:ietf:params:acme:error:connection”, “error”: “Fetching http://dcmzyl.decheng.gov.cn/.well-known/acme-challenge/MyAVHpoZ-wQOKIkwKPrDckJNAqXWAXyT1Y0xrDkfaO8: Timeout during connect (likely firewall problem)”}
2021/01/13 08:26:15.979 ERROR tls.issuance.acme.acme_client validating authorization {“identifier”: “dcmzyl.decheng.gov.cn”, “error”: “authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Fetching http://dcmzyl.decheng.gov.cn/.well-known/acme-challenge/MyAVHpoZ-wQOKIkwKPrDckJNAqXWAXyT1Y0xrDkfaO8: Timeout during connect (likely firewall problem)”, “order”: “https://acme-staging-v02.api.letsencrypt.org/acme/order/17501877/220220137”, “attempt”: 1, “max_attempts”: 3}
2021/01/13 08:26:17.841 INFO tls.issuance.acme.acme_client trying to solve challenge {“identifier”: “dcmzyl.decheng.gov.cn”, “challenge_type”: “tls-alpn-01”, “ca”: “https://acme-staging-v02.api.letsencrypt.org/directory”}
2021/01/13 08:26:30.116 ERROR tls.issuance.acme.acme_client challenge failed {“identifier”: “dcmzyl.decheng.gov.cn”, “challenge_type”: “tls-alpn-01”, “status_code”: 400, “problem_type”: “urn:ietf:params:acme:error:connection”, “error”: “Timeout during connect (likely firewall problem)”}
2021/01/13 08:26:30.116 ERROR tls.issuance.acme.acme_client validating authorization {“identifier”: “dcmzyl.decheng.gov.cn”, “error”: “authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Timeout during connect (likely firewall problem)”, “order”: “https://acme-staging-v02.api.letsencrypt.org/acme/order/17501877/220220260”, “attempt”: 2, “max_attempts”: 3}
2021/01/13 08:26:39.937 INFO tls.issuance.acme.acme_client trying to solve challenge {“identifier”: “dcmzyl.decheng.gov.cn”, “challenge_type”: “http-01”, “ca”: “https://acme.zerossl.com/v2/DV90”}
2021/01/13 08:31:41.821 ERROR tls.obtain will retry {“error”: “[dcmzyl.decheng.gov.cn] Obtain: [dcmzyl.decheng.gov.cn] solving challenges: [dcmzyl.decheng.gov.cn] authorization took too long (order=https://acme.zerossl.com/v2/DV90/order/PSvOKVCFVfb7_bhCcjNnSw) (ca=https://acme.zerossl.com/v2/DV90)”, “attempt”: 7, “retrying_in”: 1200, “elapsed”: 4820.573687033, “max_duration”: 2592000}

matt · January 13, 2021, 6:44pm

I think the error is pretty clear (and it’s one we see a lot):

Timeout during connect (likely firewall problem)

100% of the time, this is a firewall problem (or some sort of network misconfiguration). It means that Let’s Encrypt wasn’t able to connect to your server. If you are in China, that is a likely reason. You could try using ZeroSSL just to see: Using ZeroSSL's ACME endpoint

Edit: Duh, now I see that Caddy fell back and tried ZeroSSL too, which also failed.

Yeah, definitely a problem with the network – could be China, or could be something closer to your server.

system · February 12, 2021, 5:36am

This topic was automatically closed after 30 days. New replies are no longer allowed.