Certbot, HTTPS, and Timeout Error

If you use Let’s Encrypt as your SSL certificate authority, it is paramount that you implement an automatic certificate renewal procedure.

Very helpful tutorial from Mac Strategy – How To Setup Let’s Encrypt For OS X / macOS + Server 5.x

When setting up or renewing your SSL certificates, you may encounter a problem with certbot giving you the following error:

Timeout, https://www.example.com (http-01):
urn:acme:error:connection :: The server could not connect to
the client to verify the domain 

This may be happening if you ONLY have the HTTPS version of your website configured OR if you use http::REDIRECT to redirect to HTTPS without letting the GET request connect to a HTTP version of your site.

certbot, as default, can only validate your website via HTTP on port 80. The easiest solution would be to provide an HTTP version of your website. This may be less than ideal for many setups where port 80 is inundated with DDoS attacks – so it seems.

In reality, if port 80 is served by the same software that serves port 443, having port 80 open does not increase the amount of risk. Rather, it is a reminder that one should not rely on the illusion that HTTPS alone will prevent a hack. Your website design should be more resilient in that it would protect against ALL web based attacks.

A message from Let’s Encrypt regarding Port 80: Best Practice – Keep Port 80 Open

So open up port 80, setup your webserver to answer to HTTP requenst, and renew your Let’s Encrypt SSL certificates using certbot. And go add some security features to your website while your at it.

For WordPress sites like this, you can use the WP Force SSL plugin to reroute all HTTP request to HTTPS via script. That means, any non-Wordpress request like certbot’s will be processed via HTTP.