Again trouble with renewing certificate (http-01 challenge)

My certificate renewal started failing again at http-01 challenge, no clue how to fix it. I installed nextcloud and set up certbot years ago using instructions here: How to Install NextCloud on Debian 10
Unfortunately, I don't know how to change the challenge type, so I tried to open port 80 on my fritzbox and in the firewall (ufw), but the error is still the same. I would prefer not to open port 80. Can anyone point me to instructions how to trouble shoot? Thanks!

My domain is: www.schymanski.eu

I ran this command: sudo certbot renew -v

It produced this output:
...
http-01 challenge for www.schymanski.eu
Waiting for verification...
Challenge failed for domain www.schymanski.eu
http-01 challenge for www.schymanski.eu

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.schymanski.eu
Type: connection
Detail: 94.252.21.148: Fetching http://www.schymanski.eu/.well-known/acme-challenge/fDPRnhsWmZc9-1S76ZwQmLjVIyvCyjzmUWsqXkU8YO4: Error getting validation data
...

My web server is (include version):
Server version: Apache/2.4.66 (Debian)
Server built: 2025-12-05T18:54:44

The operating system my web server runs on is (include version):
Debian GNU/Linux 12 (bookworm)

My hosting provider, if applicable, is:
self-hosting

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.1.0

I'm getting ICMP type 3 (destination unreachable) code 13 (communication administratively filtered) responses when fetching the challenge over HTTP (TCP port 80), do you have a firewall that could block this connection?

Thanks for checking! I don't understand what is going on, as I opened port 80 in the firewall, and now, just to double-check, I disabled the firewall for a little while, but the error remained the same. My Fritzbox does not show a green light beside the http-server port forwarding, only the https (port 443), so there could be a problem with port 80, but I don't know how to fix it either securely, or even insecurely. Is there a way to force certbot to only use port 443 or to open a special port for certbot to update certificates?

HTTP-01 must use port 80 (or port 443 when redirected to HTTPS from HTTP), there's no way to change this, however other challenges might be more suitable.

There's the TLS-ALPN-01 challenge however this requires support from your web server (mod_md - Apache HTTP Server Version 2.5).

There's also DNS-01 which requires being able to modify TXT records at _acme-challenge.<domain>.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.