Certbot "could not connect to" domain, but I can

I actually have a pretty decent amount of experience with LE, but I’m hitting an issue I’ve not seen. Admittedly I’m trying something a little new: placing a LE-protected site behind HAproxy. It’s really simple: proxying ports 80 and 443 to this single machine that’s running nginx. Nginx is configured to expose/var/www/letsencrypt as /.well-known, and I use the webroot plugin. I always get this though:

Domain: staging.kyrofa.com
Type:   connection
Detail: Could not connect to staging.kyrofa.com

My domain is:


Note that .well-known should be working fine: http://staging.kyrofa.com/.well-known/acme-challenge/test .

I ran this command:

certbot-auto certonly --dry-run -a webroot -w /var/www/letsencrypt -d staging.kyrofa.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for staging.kyrofa.com
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /var/www/letsencrypt/.well-known/acme-challenge
Failed authorization procedure. staging.kyrofa.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to staging.kyrofa.com

 - The following errors were reported by the server:

   Domain: staging.kyrofa.com
   Type:   connection
   Detail: Could not connect to staging.kyrofa.com

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My operating system is (include version):

Ubuntu 16.04

My web server is (include version):

Nginx, although it’s embedded in GitLab Omnibus so I’m not sure about the version.

My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don’t know):


I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


Any advice would be very much appreciated!

I personally can’t connect to that site either. (Or ping it.) It seems to time out.

Check for firewall or other Internet connectivity issues?

Wah... you were absolutely right. I'm not quite sure what happened-- my router apparently was only following the port forwarding rules if the request was originating behind it. I SSHd into another server and tried to curl the URL in the original post and, indeed, it was unreachable. The computer in question was using a static IP, I changed to using DHCP with a MAC-bound lease on the router and things started working from outside the network as well. How odd...

Thanks for the quick sanity check!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.