[SOLVED] Digitalocean, Certmagic - Timeout during connect, Error 400

Thomas_Vilotte · January 13, 2020, 10:37am

Hi Mholt and everyone,

Before everything, I’m not a Caddy user, I’m only using the Certmagic pkg.
I can’t generate the certificate for a domain (chante-oiseau.com), I keep getting a timeout error on three attempts, using both ACME staging and production endpoints.

NOTE:

I’m running a Debian 10 VM on Digitalocean.
Name Servers are configured to point from my registar to DO.
A and AAAA records are double checked on my DO droplet configuration.
Go binary have capabilities to bind to low ports.
No firewall are active.
Self signed certificate is working using go stdlib, you can see it live chante-oiseau.com:
log.Fatal(h.ListenAndServeTLS(certPath, keyPath))

This is the error part on iteractive mode:

2020/01/13 09:05:47 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/2263102554
2020/01/13 09:05:47 [ERROR][chante-oiseau.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
[chante-oiseau.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: (attempt 1/3; challenge=tls-alpn-01)

This is one of the acme API report:

{
  "identifier": {
    "type": "dns",
    "value": "chante-oiseau.com"
  },
  "status": "invalid",
  "expires": "2020-01-20T09:06:03Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/2263108791/p5SqYg",
      "token": "dWTh4JLBkWZfVwc_f3D9yPUg2rKwhtgRtr4147O8SlE",
      "validationRecord": [
        {
          "hostname": "chante-oiseau.com",
          "port": "443",
          "addressesResolved": [
            "68.183.75.93",
            "2a03:b0c0:3:e0::7c:2001"
          ],
          "addressUsed": "2a03:b0c0:3:e0::7c:2001"
        }
      ]
    }
  ]
}

This is a simplified version of my http server:

const (
  const_server_read_timeout = 30 * time.Second
  const_server_write_timeout = 30 * time.Second
  const_server_max_header_bytes = 1 << 20
)

  h := &http.Server{
    ReadTimeout: const_server_read_timeout,
    WriteTimeout: const_server_write_timeout,
    MaxHeaderBytes: const_server_max_header_bytes,
  }

  certmagic.Default.Agreed = true

  if config.Current.AcmeDevelopment {
    certmagic.Default.CA = certmagic.LetsEncryptStagingCA
  } else {
    certmagic.Default.CA = certmagic.LetsEncryptProductionCA
  }

  certmagic.Default.Email = config.Current.Email

  h.Handler = certmagic.NewDefault().HTTPChallengeHandler(mux.handle())

  listener, err := certmagic.Listen(config.Current.Domains)
  if err != nil {
    log.Fatalf("Generating TLS listener: %s", err)
  }

  log.Fatal(h.Serve(listener))

Hope someone can give me a clue about this one.
Have a nice day. Regards, Thomas.

Whitestrake · January 14, 2020, 3:54am

Howdy @Thomas_Vilotte,

Your clue is over here:

This means LetsEncrypt is saying they got your request for a cert for chante-oiseau.com, they looked up the domain in public DNS, followed the authoritative name server to an IP address, but when they got there and tried to connect on port 443 (for TLS-ALPN-01 challenge), the server never responded. Either the server IS there at that IP address and is firewalled (i.e. configured to drop the incoming packets entirely and never respond), or maybe the IP address on your DNS records is wrong.

Thomas_Vilotte · January 14, 2020, 8:21am

Dear Whitestrake thank you for your answer !

I finally found the problem.

On DigitalOcean when you instantiate a new droplet (VM) they prompt you for ipv6, if you leave this part you can later add a public ipv6, which I did. But in the case you choose to add the ipv6 connectivity later on (not at creation time), you have to edit your droplet networking i/o and reboot. This is the part I missed…

Here is the tutorial, the Enable IPv6 on Existing Droplets one

Of course Certmagic is now working like a charm
Thank you once again. Have a nice day !

Regards. Thomas.

system · April 13, 2020, 8:21am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.