Can't install certificate on centos stream 9

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I haven't associated a domain name with this IP address yet.

I ran this command:

snap install certbot --classic

certbot 2.4.0 from Certbot Project (certbot-eff✓) installed

ln -s /snap/bin/certbot /usr/bin/certbot

certbot certonly --webroot -w /var/www/html -d

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Type: connection
Detail: Fetching Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): linux

The operating system my web server runs on is (include version): centos stream 9

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.4.0

Hello @TheSL, welcome to the Let's Encrypt community. :slightly_smiling_face:

Your are using the HTTP-01 challenge of the Challenge Types - Let's Encrypt, the require Port 80 to be open; Best Practice - Keep Port 80 Open.

However you do not have Port 80 open

$ nmap -Pn
Starting Nmap 7.80 ( ) at 2023-03-29 19:06 UTC
Nmap scan report for (
Host is up (0.13s latency).
Not shown: 995 closed ports
22/tcp  filtered ssh
25/tcp  filtered smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 7.56 seconds

LE won't provide a certificate for an IP.

That is a domain name ("").
Who's name is that?
Why are you trying to get a cert for that name?
It resolves to some other IP [not yours].


Before you continue testing on the production system, please read:
How It Works - Let's Encrypt (
FAQ - Let's Encrypt (


Also testing and debugging are best done using the Staging Environment as the Rate Limits are much higher.

And to assist with debugging there is a great place to start is Let's Debug.

Also please attach letsencrypt.log to your next post; also do re-run Certbot with -v for more details and share them.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.