Timeout during connect (likely firewall problem)
-
Hello everyone, you tried them all. The ACME procedure always stops the usual error :
Fetching http://xxxxxxx.ddns.net/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxx : Timeout during connect (likely firewall problem)
Port 80 open
disable redirect
port 443 open -
This : http://xxxxxxx.ddns.net/, or actually this "xxxxxxx.ddns.net" should resolve to an A record (or AAAA).
"DNS" (mine, your, and the one ACME (Letsencrypt) uses should resolve "xxxxxxx.ddns.net" to an IP address, an IP address whicg has port "80" open, so a (mini) web server replies, and will answer when arequest comes in asking for this file :
.well-known/acme-challenge/xxxxxxxxxxxxxxxxxx
If Letsencryot gets this file, it will load it - and check if the content matches with what it has given to ACME.The thing is : Letsencrypt was 'asking' on "xxxxxxx.ddns.net", the IP address, but found the door closed.
Normally, the "xxxxxxx.ddns.net" points to your WAN IP, so you need to have a firewall rule on your WAN that permits TCP traffic on port 80 to come so it can reach the ACME web server instance, that receives the request, and answers it.
Keep in mind that ACME will fire up a mini web server, but will do handle any firewall stuff for you.If you have a ISP router in front of your pfSense : you will have to "NAT" that router also.
You also have to deal with the fact that pfSense uses itself the port 80 for the GUI access, so you will have to move that, as the GUI listens on all interfaces, WAN included ( ! ).
By now, you will probably think : "hey, this (stand alone) ACME web server method isn't that good at all". And that's correct. It's a method that you really don't want to use, as you need to manually prepare the renewal every time. You don't want to leave your port 80 TCP open to the net all the time.
