Certbot failed to authenticate some domains (authenticator: nginx) Timeout during connect (likely firewall problem)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: zenpixel.com.de

I ran this command: sudo certbot --nginx

It produced this output:
Requesting a certificate for sl.zenpixel.com.de

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: sl.zenpixel.com.de
Type: connection
Detail: (my server IP address): Fetching http://sl.zenpixel.com.de/.well-known/acme-challenge/-FErZDEXskFRLtUoTjVmP1fT4ESw1RXN0J2f-wPbLrs: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu server 22.04 (VM)

My hosting provider, if applicable, is: Not Applicable, self hosted.

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I´m trying to self host simplelogin (GitHub - simple-login/app: The SimpleLogin back-end)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.7.0

Welcome @borringjoe

The --nginx option you chose uses an HTTP Challenge to an existing nginx server. But, Let's Encrypt cannot reach that domain using HTTP.

Your nginx must be available from the public internet but it is not. The Let's Debug test site is helpful as you make changes to your config. Often this is a firewall or wrongly configured router. Especially review any NAT routing in a router.


Thank you @MikeMcQ for the quick response!
Some elemental questions:

Regarding "The --nginx option you chose uses an HTTP Challenge to an existing nginx server. But, Let's Encrypt cannot reach that domain using HTTP."

  • Must I use a specific option running nginx to be able to have the certificate? If yes which one?

Regarding: "The Let's Debug test site is helpful as you make changes to your config."

  • I saw that tool in another post and used it (without any knowledge of its black magic) And I passed the DNS test but failed HTTP and TLS tests. Is it necessary to pass all 3 tests for get the certificate?

Regarding: "Often this is a firewall or wrongly configured router."

  • In my router I have NAT type configured as "fullcone". In my server I have UFW configured as follows:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To Action From

25 ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
25 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)

  • Is there any additional configuration necessary, that I'm missing?

I tried port forwarding to the above ports but the output of the certbot command was the same.

Appreciate the patience.

The --nginx plugin option is perfectly fine. I was just stating it uses the HTTP Challenge (as opposed to a DNS or TLS-ALPN challenge).

The Let's Debug HTTP test is important to pass when using the HTTP Challenge (as you are). It would be rare for that to fail yet still be able to succeed using an HTTP Challenge to get a cert.

Those firewall settings looked okay so check all the other components. In short, make sure you can reach your nginx server with HTTP from the public internet.

You may need to check with your ISP to ensure they allow requests on port 80 to reach you. Some residential services do not.


It might be my ISP, it is full of this kind of cr@p... I'll confirm later to close tis post.

If it is your ISP, check what ports are allowed.

You could maybe automate a DNS Challenge and use the certs for HTTPS (TLS) on a port they do allow. DNS Challenges are often more difficult to setup but far from impossible.


Loved the suggestion! I didn't know it was a possibility.

I wont give up :smiley:


I found this and this but I have no idea what to do with this information :smiley: (it might seam I can't put 2+2 together)

I'm trying to find a step-by-step guide, because unfortunately this is my expertise level on this stuff. I'm a mechanic by trade not a techninja, but I like to get out of my conforst zone :wink:

If someone could point me a direction I'll appreciate!

Have you confirmed from your ISP that ports are allowed inbound to you?

Because if you don't have any, or they are using CGNAT, it won't matter if you can get a cert because you won't be able to connect.


I could not even get in touch with them! This is how bad it is... but I am assuming port 80 is closed due to results in the test.

All the ports may be blocked. My experience says it is much more likely you have a config problem and much less likely an ISP issue. (because that's what we see here more).

But, if you can proceed you have options.

You are already using Cloudflare as your DNS provider. Certbot supports that and see its docs here (link here)

If you will only use standard ports you could "proxy" your domain name at Cloudflare to use their CDN. That handles HTTPS between any client and it CDN Edge. You could then use their Origin CA Cert for HTTPS between its CDN Edge and your origin server.

The Origin CA Cert is a one-time process. It has some limitations like won't work for email servers.

Cloudflare Origin CA Certs

Also see:
Where to? Introducing Origin Rules.


I'll do something else now. For this and other issues I'll change ISP, then I'll get back to this project.
I guess I can live a couple of months without my fancy email aliases.
Thank you so much @MikeMcQ !!!

See you soon! :wink:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.