Acme cert help - 400 timeout

packetman_

Greetings. I've been working the past few days to get a cert on my FW to no avail.
I am using port 80 standalone server mode

Ive narrowed the issue down to this section

"type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Fetching http://secure.pardigital.net/.well-known/acme-challenge/3-i-fYswlY_QOk0wOCID81zpuUzfUAzyCuCTu66-XLQ: Timeout",
    "status": 400

Gertjan

Hi,

Seems to me that http://secure.pardigital.net is redirected (NATted ?) to some web server "Welcome to nginx on Fedora!" behind (?) pfSense

You saw https://doc.pfsense.org/index.php/ACME_package ? What method are you using ? "webroot" or http-01 isn't a good plan, chose another one like "FTP Webroot".
The directory and file ".well-known/acme-challenge/3-i-fYswlY_QOk0wOCID81zpuUzfUAzyCuCTu66-XLQ" would be created on that sever, and the ACME test will proceed.

packetman_

The Nginx welcome page popped up due to me removing the NAT needed for this to work.
Im using the FTP method and I am still getting HTTP timeouts.

From the logs it seems that it successfully uploads the file to my local FTP server but then letsencrypt attempts to pull the file via HTTP, same as the standalone web server method. This times out consistently, and I have no log info of what goes on after the file is uploaded via FTP. It does not make sense (to me) that the webroot ftp method also requires port 80 open to the firewall…

Gertjan

Hi,

Upfront, I'm not an acme (or Letenscrypt) expert, but this is how I think it works :
The FTP method gives the acme script a way to put in place the needed files to check. These files where made by LetEnscrypt - hand over by a http (or https) request and the put in place somewhere. THe method is : manual DNS record adding, or automatcily when you chose the 'nsupdate' method, or the FTP method for a remote (not local) webserver, which is your case I guess, or some more methods.
Ones the files are in pace, the acme script signals LetEnscrypt it ready. From their side, a http request is made to test if the files with special info is present on the designated place.

I guess you could very well leave the NATting in place to your web server. The FTP method is perfect to put the directories and files in place on that server - your nginx web server. Yuou'll be needing a FTP service running on this server of course.

By no means LetEnscrypt will use FTP to access and check these files. Remember FTP, as such, is an old protocol and considered dead. Far more better is SFTP access, btw (much simpler).

jimp

Should that URL be open to the world? I can't reach it on port 80 over IPv4 or IPv6 right now. Perhaps the validation servers at Let's Encrypt also can't reach it?

Since it's a timeout, I would focus on firewall rules or other access rules, maybe even routing upstream, anything that could prevent LE from reaching your web server on port 80. Maybe you have something like pfBlocker filtering access or geoblocking?