Access log shows file correctly accessed, but I am getting error during secondary validation for subdomain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
sudo certbot certonly --manual

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel):
Requesting a certificate for

Create a file containing just this data:


And make it available on your web server at this URL:

Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Type: connection
Detail: During secondary validation: Fetching Timeout after connect (your server may be slow or overloaded)

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.8.0

I can access the file myself and the apache2 server access log also shows error code 200. - - [21/Dec/2023:20:36:03 +0530] "GET /.well-known/acme-challenge/aJ8XBDVEq0n3obGX5O3H_ApKy2qxMk_CjT9J1jSxv6A HTTP/1.1" 200 376 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +"

You should be seeing at least three requests, from various points around the world. So you presumably have a firewall that's blocking some of them. Maybe something geolocation-based?



Whenever possible, I like to use shell accounts on personal Cloud Servers to test the files are correctly served.

Often times there is some firewall or routing rule on the Server or within the Office that makes everything appear to work for everyone in an organization/office - but makes everything fundamentally broken for the public internet.


Your topic states "error during secondary validation".
That clearly implies that some IPs are unable to reach your web server.

I don't know enough about your systems to be sure.
It could be a routing problem, an IP blocking program/service, etc.
But I am sure about the lack of access.


Hello @pratyushrathore

Looks like Ports 80 & 443 are filtered; Best Practice - Keep Port 80 Open

$ nmap -Pn -p80,443
Starting Nmap 7.94SVN ( ) at 2023-12-21 19:03 PST
Nmap scan report for (
Host is up (0.45s latency).

80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds

Thus there is no way for anyone (including Let's Encrypt) to access

Do you have 1 or more firewalls, the each need let Port 80 to pass for the HTTP-01 challenge
"The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard."

1 Like


Thank you very much for your reply. Apparently, the server was being experimented upon last night. On restoring the server,

nmap -Pn -p80,443
Starting Nmap 7.80 ( ) at 2023-12-22 04:46 UTC
Nmap scan report for (
Host is up (0.041s latency).

80/tcp open http


This was as various posters suggested an issue with firewall. Thank you all for your valuable suggestions and time. Sincerest thanks.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.