Error 400 Timeout during connect (likely firewall problem)


(Prathik Gopal) #1

Strange error, and im not able to get caddy setup and i need some help,

ERROR BELOW:
Activating privacy features… 2018/08/23 17:49:32 [X.duckdns.org] failed to get certificate:
acme: Error 400 - urn:ietf:params:acme:error:connection -
Fetching http://X.duckdns.org/.well-known/acme-challenge/LG09hex6L3GOfMOrpqdnCujWLqR3I6eDzB3fkVCbqb8:
Timeout during connect (likely firewall problem)

My Port 80 and 443 are open for the server. Caddyfile is as below…

X.duckdns.org {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
}
    proxy / localhost:1000 {
        websocket
        transparent
    }
}

a.X.duckdns.org {
    proxy / localhost:4000 {
        websocket
        transparent
    }
}

(Matthew Fay) #2

Could be DNS not set correctly / not propagated.

You could test that quickly by running Caddy with the site on HTTP only and trying to connect. Change the site labels to http://X.duckdns.org and http://a.X.duckdns.org, then direct either your browser or cURL to that address.


(Prathik Gopal) #3

Hello Whitestrake,
Thank you for your time, im starting to feel like im getting somewhere, the suggestion worked i was able to get it working over http, all my other pages also responded over http.

Im not sure i understand this, could you help me?

I also see the below error sometimes on my log, instead of the Error 400/firewall problem

Running Caddy with arguments: -conf /share/caddy/Caddyfile -agree -email me@gmail.com
2018/08/24 23:16:24 get directory at ‘https://acme-v01.api.letsencrypt.org/directory’: failed to get json “https://acme-v01.api.letsencrypt.org/directory”: Get https://acme-v01.api.letsencrypt.org/directory: net/http: TLS handshake timeout


(Prathik Gopal) #4

no go still, i had the ISP on call and checked my ports and confirmed all are good , so its either my $250 router causing this or some wrong config in it.


(Matthew Fay) #5

Hmm, an interesting problem…

The error in your log is Caddy trying to connect outwards to LetsEncrypt. It might even be a rogue hop on the way between your Caddy host and LetsEncrypt dropping your traffic.

Lets remove LetsEncrypt from the question to test your ports are working as expected and try to rule out an issue with your network hardware.

Remove the http:// scheme from the site labels again, but add tls self_signed in each site definition. This will bring Caddy up with an invalid certificate, but you can test with curl -kIL X.duckdns.org and see if you get the expected redirection and then HTTPS response.


I can elaborate on this a little. In some setups where DNS can regularly change or has recently changed (common with DDNS services like Duck DNS), your local DNS resolver might have the updated IP address, but where LetsEncrypt’s servers are the DNS records might not have updated yet. When this happens, LE challenges the old address and naturally fails. This might be the case with yours, but it should have resolved itself in time - not to mention LetsEncrypt don’t cache DNS and are usually pretty quick off the mark with DNS updates, and the outbound connection error to LetsEncrypt indicates other issues.


(Prathik Gopal) #6

thanks again for your time,

I was able to enable activate caddy with tls self_signed and it indeed does bring invalid certificate, had to enable port 2015 to access the page on https, but i saw your explanation else where in this community on why self-signed cannot be hosted on 443,

curl: (7) Failed to connect to X.duckdns.org port 80: connection refused.

if i include port in the command: curl -kIL X.duckdns.org:2015 , then it says

curl: (8) Wierd server reply

Oh ok :+1:, i tried even ddns and no ip… still the same, i think they all are the same when it comes to this issue… i tried running port 80 to the NVR and it looks like my port 80 is blocked from ISP end as im unable to connect to port 80 from any external network,.


(Matthew Fay) #7

Ahh, my mistake. You can host self-signed on port 443, you just have to do it explicitly in the Caddyfile (and it won’t be valid of course).

Using http://X.duckdns.org, https://X.duckdns.org as your site label will do that, but you’ll have to set up HTTP->S redirection manually (Caddy usually handles it for you when Automatic HTTPS is enabled).

I think this one’s because curl infers HTTP from your request when it’s actually HTTPS. Try curl -kIL https://X.duckdns.org:2015 with this setup or just https://X.duckdns.org if you change your Caddyfile label to serve the site over 443.

That’s unfortunate. It would handily explain why you weren’t able to complete the ACME challenge.


(Prathik Gopal) #8

Hello Whitestrake, thank you for everything, after a long journey and much calls with ISP, i found the ISP was blocking the ports, i got port 80 and 443 released and its all working now. i wanted to thank you for your help. :slight_smile: