Cannot complete challenge and yes port 80 is open

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command: Apply Changes

It produced this output: ValueError: Challenge did not pass for {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’’, u’hostname’: u’’, u’addressUsed’: u’’, u’port’: u’80’, u’addressesResolved’: [u’’]}], u’url’: u’’, u’token’: u’o6_eGPXdOChQ5GjwF67NF5anZ_n9ThHRo3BBZFrJkEI’, u’error’: {u’status’: 400, u’type’: u’urn:ietf:params:acme:error:connection’, u’detail’: u’Fetching Timeout during connect (likely firewall problem)’}, u’type’: u’http-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’’}, u’expires’: u’2020-04-09T21:51:34Z’}

My web server is (include version): Apache (Not sure on version)

The operating system my web server runs on is (include version): Univention (Debian)

My hosting provider, if applicable, is: Me

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes LetsEncyrpt App on Univention Server 4.4

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): N/A

Hi @Gravy

there is a running check of your domain -

Your port 80 - is closed, not open.

Your port 443 answers. But port 80 is required.

Thanks for the quick reply. I have 80 open I thought. I can browse to it via http. I am aware port 80 is required and am not sure why it would not think it is open. image

Some ISPs block traffic to subscribers on port 80. You might ask your ISP?

I can explore that. This would be them blocking HTTP from or from my domain (

Usually they’ll block HTTP FROM <the-whole-internet> TO <current-subscriber-IP>, especially if subscribers have not been allocated a Static IP address.

I think you are correct. Somehow in my testing I did not run across that. Thank you very much.

So how would I go about working around that? Will I need HTTP to refresh the certs each time? I was seeing something about a DNS challenge for some other situations that were having issues. Would that be an option here and would I still be able to refresh certs automatically?

You have two main options:

  • use the dns-01 challenge
  • use the tls-alpn-01 challenge

and several secondary options, that all look like:

  • use some sort of tunnel and use another machine as a reverse proxy

I will see what I can figure out on those options and update the thread. Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.