Issue with renew letsencrypt ssl cert. acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during conne

eidosgal 2020-12-13 19:42:18 UTC #1

Keywords: Nginx - AWS - Technical issue - Secure Connections (SSL/HTTPS)
bnsupport ID: c85d7293-b401-c8af-c8f1-c02cec0cb173
Description:
Hello! I have expired cert, and two days with school magic tricks practice without results. Structure of my server: AWS nginx Bitnami - elastic ip -AWS hostzone records + AWS s3 bucket set for redirect www....net to no www....net

I did manually renew commands (Which I always did for several years every 3 months - auto renew with cerbot I can't set ):
sudo /opt/bitnami/ctlscript.sh stop
sudo /opt/bitnami/letsencrypt/lego --tls --email="mymail@gmail.com" --domains="mydomain.net" --domains="www.mydomain.net" --path="/opt/bitnami/letsencrypt" run

I get error:
Could not obtain certificates:
error: one or more domains had a problem:
[www.eidosfilm.net] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url:

bitnami.conf (two variants)
1st
--
# HTTP server

server {
    listen       80;
    server_name  localhost;

    #include "/opt/bitnami/nginx/conf/bitnami/phpfastcgi.conf";

    include "/opt/bitnami/nginx/conf/bitnami/bitnami-apps-prefix.conf";
}

# HTTPS server

server {
   listen       443 ssl;
   server_name  localhost;

   ssl_certificate      server.crt;
   ssl_certificate_key  server.key;

   ssl_session_cache    shared:SSL:1m;
   ssl_session_timeout  5m;

   ssl_ciphers  HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers  on;

   #include "/opt/bitnami/nginx/conf/bitnami/phpfastcgi.conf";

   include "/opt/bitnami/nginx/conf/bitnami/bitnami-apps-prefix.conf";
}


include "/opt/bitnami/nginx/conf/bitnami/bitnami-apps-vhosts.conf";

--
2nd variant
--

HTTP server

server {
    listen       80;
    server_name  localhost;
    return 301 https://mydomain.net$request_uri;
    #include "/opt/bitnami/nginx/conf/bitnami/phpfastcgi.conf";

    include "/opt/bitnami/nginx/conf/bitnami/bitnami-apps-prefix.conf";
}

# HTTPS server

server {
   listen       443 ssl;
   server_name  localhost;
   if ($host != "mydomain.net") {
     return 301 https://mydomain.net$request_uri;
 }

   ssl_certificate      server.crt;
   ssl_certificate_key  server.key;

   ssl_session_cache    shared:SSL:1m;
   ssl_session_timeout  5m;

   ssl_ciphers  HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers  on;

   #include "/opt/bitnami/nginx/conf/bitnami/phpfastcgi.conf";

   include "/opt/bitnami/nginx/conf/bitnami/bitnami-apps-prefix.conf";
}


include "/opt/bitnami/nginx/conf/bitnami/bitnami-apps-vhosts.conf";

I checked:
firewall - 22, 80, 443 opened inbound
--
(with stop nginx) sudo netstat -tulpn
bitnami@ip-1*2-1-2-25*:~$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 597/sshd
tcp6 0 0 :::22 :::* LISTEN 597/sshd
udp 0 0 0.0.0.0:68 0.0.0.0:* 364/dhclient
udp 0 0 127.0.0.1:323 0.0.0.0:* 14847/chronyd
udp6 0 0 fe80::837:bfff:fef6:546 :::* 449/dhclient
udp6 0 0 ::1:323 :::* 14847/chronyd
--
bitnami@ip-1*2-1-2-25*:~$ sudo /opt/bitnami/ctlscript.sh start
/opt/bitnami/mysql/scripts/ctl.sh : mysql started at port 3306
/opt/bitnami/php/scripts/ctl.sh : php-fpm started
/opt/bitnami/nginx/scripts/ctl.sh : Nginx started
bitnami@ip-1*2-1-2-25*:~$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 11445/nginx: master
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 11375/mysqld.bin
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 11445/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 597/sshd
tcp6 0 0 :::33060 :::* LISTEN 11375/mysqld.bin
tcp6 0 0 :::22 :::* LISTEN 597/sshd
udp 0 0 0.0.0.0:68 0.0.0.0:* 364/dhclient
udp 0 0 127.0.0.1:323 0.0.0.0:* 14847/chronyd
udp6 0 0 fe80::837:bfff:fef6:546 :::* 449/dhclient
udp6 0 0 ::1:323 :::* 14847/chronyd
--
The same result with
https://www.yougetsignal.com/tools/open-ports/

ls -la /opt/bitnami/letsencrypt

total 33556
drwxr-xr-x 5 root root 4096 Jun 13 2020 .
drwxr-xr-x 19 root root 4096 Dec 12 23:25 ..
drwx------ 3 root root 4096 Jun 13 2020 accounts
drwx------ 2 root root 4096 Jun 13 2020 certificates
-rwxr-xr-x 1 root root 34340864 May 11 2020 lego
drwxr-xr-x 2 root root 4096 Jun 1 2020 scripts

sudo /opt/bitnami/bnsupport-tool

So, how I can understand all nessasary ports are open, and in this case I haven't ideas.. Can you help me, please.

michiel 2020-12-14 10:07:12 UTC #2

Hi @eidosgal,

It seems port 80 and 443 of your instance are not publicly accessible. You can check it with the following command:

sudo nc -zv -w5 IP_ADDRESS

Replace IP_ADDRESS with your actual IP.

Can you check your firewall settings in your EC2 dashboard?

Regards,
Michiel

eidosgal 2020-12-14 13:30:53 UTC #3

Thank you, Michiel!
Results:

sudo nc -zv -w5 IP_ADDRESS
$ sudo nc -zv -w5 1IP_ADDRESS 22 80 443
Connection to IP_ADDRESS 22 port [tcp/ssh] succeeded!
nc: connect to IP_ADDRESS port 80 (tcp) failed: Connection refused
nc: connect to IP_ADDRESS port 443 (tcp) failed: Connection refused

EC2 dashboard
Security groups
Settings the same for all ports
80 TCP 0.0.0.0/0 WordPress with NGINX and SSL Certified by Bitnami and Automattic-5-4-1-1-r02 on Debian 10-AutogenByAWSMP-
22 TCP 0.0.0.0/0 WordPress with NGINX and SSL Certified by Bitnami and Automattic-5-4-1-1-r02 on Debian 10-AutogenByAWSMP-
443 TCP 0.0.0.0/0 WordPress with NGINX and SSL Certified by Bitnami and Automattic-5-4-1-1-r02 on Debian 10-AutogenByAWSMP-

michiel 2020-12-15 11:56:53 UTC #4

Hi @eidosgal,

Can you check the following guide for manually renewing the certificate? Also, you need to stop Nginx before renewing so the ports won't be blocked:

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach

Regards,
Michiel

system 2020-12-29 11:56:58 UTC #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!