Another "The Certificate Authority failed to verify ..."

My certificates were up for renewal and it failed with similar error below. I reinstalled apache, certbot but it always seems to hang at validating.

I've setup let encrypt successfully in past. I can access a test file

Not sure what I'm doing wrong this time.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot --apache --test-cert -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for
Performing the following challenges:
http-01 challenge for
Enabled Apache rewrite module
Waiting for verification...
Challenge failed for domain
http-01 challenge for

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Type: connection
Detail: Fetching Timeout after connect (your server may be slow or overloaded)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache2 Ubuntu 20

The operating system my web server runs on is (include version): Ubuntu 20

My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
route 53 for dns records
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.27

1 Like

Welcome to the community @cleblond

Something is blocking attempt of the ACME http challenge URL. We have seen similar failures caused by a recent change to Palo Alto brand firewalls. They changed a default setting to start blocking acme challenge requests. See more info here

Your symptom is different in that the problem is a timeout rather than "reset by peer" or in some cases a 503 error. These are my test requests to your server. See the problem? While the symptom is different it is worth checking if you have Palo Alto firewall.

(note this has no trailing slash and redirects like other http requests)
curl -I -m10
HTTP/1.1 301 Moved Permanently
Date: Wed, 04 May 2022 20:29:58 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

Adding a slash or the Challenge Token results in timeout
curl -I -m10
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received

curl -I -m10
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received

Thanks for the rapid reply!

Yes I suspected something was blocking. I see the same response as you unless I'm behind the VPN. Within the VPN the curl tests work fine.

1 Like

You know the Let's Encrypt server needs to reach you via the public internet - right?

Something is specifically blocking just the acme challenge URLs (while also allowing those URLs via your VPN)


I'm immediately reminded of the Palo Alto issue...
But this is somewhat different and yet similar.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.