Can not renew a cert with certbot: Timeout during connect (likely firewall problem)


My cert is due to renewal. I am running certbot renew and this is the result that I get. Please advise!

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for
tls-sni-01 challenge for
Waiting for verification...
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout during connect (likely firewall problem). Skipping.


All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ (failure)


The following certs are not due for renewal yet:
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ (failure)
1 renew failure(s), 0 parse failure(s)

 - The following errors were reported by the server:

   Type:   connection
   Detail: Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.


Hi @danielrychel, domain points to ip and if you try to connect to this domain (port 80) it is finally redirected to (ip

The problem here is that you are using tls-sni-01 challenge so LE will try to connect to to resolve the challenge but you are not serving anything on port 443 (or you are blocking it) for domain

So, as an advice, as tls-sni-01 challenge is deprecated you could try http challenge as it should work fine with your current conf:

certbot renew --preferred-challenges http

Above command will or won’t work depending on how you issued your certificates in first place.

If you want to test, first, made a backup of /etc/letsencrypt/ and the conf for your web server just in case ;).

Good luck,


Thank you! That wad very helpful!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.