Certbot failed to authenticate: problems type connection. Time out. Ensure pointing to nginx server and access

My domain is:
Private: I would like to forward by private message
I ran this command:
sudo certbot certonly -a nginx --agree-tos --no-eff-email --staple-ocsp --email john@example.com -d mail.example.com
It produced this output:
Certob failed to authenticate some domains (autenticator: nginx). The Certificate Authority reported these problems:
Domain: mail.example.com
Type: connection
Detail: this.is.myipaddress.innumbers: Fetching http://mail.example.com/.well-known/acme-challenge/Ef7XsYfKe9 etc...: Timeout during connect (likely firewall problem)
My web server is (include version):
The operating system my web server runs on is (include version):
Arch Linux with LTS kernel
My hosting provider, if applicable, is:
I can log in to a root shell on my machine:
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is:
certbot 2.8.0

Hi I think the root of the problem is the fact that I don't have a real web server (with a web page).
The program is looking for A and AAAA records. I don't have an ipv6 connection so I don't have an ipv6 address for an AAAA record.

I just noticed that the terminal output says "Fetching **http://**mail." Perphaps this also means that I certbot is still looking for webpage info. But it's just a computer intended for mail exchange.

You should look at using the DNS Challenge instead. The --nginx plugin uses the HTTP Challenge which requires the Let's Encrypt server to reach your nginx server with an HTTP request on port 80.

Cloudflare readily supports the DNS Challenge. See Certbot plugin for that will create the needed TXT record in the DNS for the Let's Encrypt server to validate your domain. No web server is required.


Thanks Mike,
It looks logical. Sadly I bumb into a bug as it seems.
Got the actual command from here:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.secrets/cloudflare.ini -d mail.example.com

Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.11.7)

This is in mij cloudflare.ini file:
dns_cloudflare_email = thisismyemailaddress@knownatcloudflare.com
dns_cloudflare_api_key = theapikeyimadeinthecloudflaredashboard

More info about the bug:

The version I use probably still has the bug. While it's added as package on archlinux.org on 10/3/2023.

In case you could advice a workaround it would be more than welcome.

1 Like

The recommended way is the api_token and not the api_key which is global

Have you double-checked your Cloudflare access matches the method you used?
Here is their docs for the token and a method to test it independently

I don't know why that "bug" link would affect you. It was for someone who'd been using the plugin for some time and had old variable exports. If you also have those then the fix was to remove them. But, I don't know why you would in a new setup.

Cloudflare is a commonly used DNS provider with Certbot. I don't use it personally but we rarely see problems with it.


Super, it worked. Excuses for not reading the text good enough you provided. It's a good instruction.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.