Certbot errors with AT&T ISP service?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

I know that I am dealing with Carrier Grade NAT because I have AT&T Cellular Broadband ISP service. I believe that is the root of my problem. ??

My domain is:

I ran this command:

eric@debian11:/etc/apache2/conf-available$ sudo certbot certonly --agree-tos --email eric@n8aay.net --webroot -w /var/lib/letsencrypt/ -d files.n8aay.us

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

Account registered.
Requesting a certificate for files.n8aay.us
Performing the following challenges:
http-01 challenge for files.n8aay.us
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain files.n8aay.us
http-01 challenge for files.n8aay.us
Cleaning up challenges
Some challenges have failed.


My web server is (include version):

apache2 is already the newest version (2.4.52-1~deb11u2)

The operating system my web server runs on is (include version):

Debian 11

My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don't know):


I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Yes, Dotster's control panel.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

1 Like

The Let's Encrypt validation server needs to connect to your webserver on port 80 if you want to satisfy the http-01 challenge (which is used by the webroot plugin). But due to CG-NAT, this is impossible. Unless you know a method for your ISP to portmap port 80 to JUST your server. But it's probably more likely world peace will happen this week.

So your other option would be to use the dns-01 challenge.


OK- I understand what you are saying about my ISP mapping my port 80 to just my server. Haha... What can you tell me about using the DNS-01 challenge? What would that command be?

1 Like

What are you hoping to protect? Are you able to maintain a comms connection from the public internet through CGNAT to your server?

It won't help to have a cert if you cannot connect without one.


I'm simply trying to install / run Nextcloud Server at my home. Seemingly there is not a way to get it to work through my AT&T ISP (CG-NAT) modem/router...so I may modify my goal and go with TrueNAS on a local machine here on my LAN.
Thanks- /E


I don't know the difference between TrueNAS and Nextcloud, but @MikeMcQ has an excellent point: if nobody can reach your NAS and you're the only one using it, you might just go with a self-signed certificate with an expiry date 10 years in the future.. If you need a cert to begin with..


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.