Certbot “could not connect to” domain, but I can

My domain is:


I ran this command:

sudo certbot certonly --webroot -w /var/www/dn5/ -d ymir.dn5.ch --test-cert

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ymir.dn5.ch
Using the webroot path /var/www/dn5 for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ymir.dn5.ch (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ymir.dn5.ch/.well-known/acme-challenge/3NTnsk_fOqCIDTBJ1d6VljGKIJ4cutIc__MO9WFmbKI: Timeout

 - The following errors were reported by the server:

   Domain: ymir.dn5.ch
   Type:   connection
   Detail: Fetching

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


I have a haproxy infront of my webservers and my synology nas:

           80/443                80/443                  ---------------> synology nas with photo station
internet <-------> Router(NAT) <-------> haproxy <-------| ymir.dn5.ch
                                                         ---------------> nginx

For HTTP(80) i’m using mode http with base_dom filtering in HAProxy
For HTTPS(443) i’m using the tcp mode with req_ssl_sni filtering

If this matters
Bevor I had the HAproxy i only used my nginx for the internet with a Redirect 301 on the domain dn5.ch

Thanks for the help

You are advertising the IPv6 address 2a02:1205:506a:26b0:7eb7:33ff:fe09:b2a but not actually accepting connection on that address via IPv6.

1 Like

Now it is working

WOW Thank you so much!!! :raised_hands::thumbsup:
I’ve worked on this problem since two weeks.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.