Certbot failed to authenticate some domains (authenticator: standalone)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: katvpn.mooo.com

I ran this command: bash <(wget -qO- https://github.com/mozaroc/x-ui-pro/raw/master/x-ui-pro.sh) -install yes -panel 1 -ONLY_CF_IP_ALLOW no

It produced this output:Failed to stop x-ui.service: Unit x-ui.service not loaded.
Enter available subdomain (sub.domain.tld): katvpn.mooo.com
Enter available subdomain for REALITY (sub.domain.tld): subkatvpn.mooo.com
Firewall stopped and disabled on system startup
Get:1 file:/etc/apt/mirrors/debian.list Mirrorlist [30 B]
Get:5 file:/etc/apt/mirrors/debian-security.list Mirrorlist [39 B]
Hit:2 Index of /debian bookworm InRelease
Hit:3 Index of /debian bookworm-updates InRelease
Hit:4 Index of /debian bookworm-backports InRelease
Hit:6 https://deb.debian.org/debian-security bookworm-security InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
curl is already the newest version (7.88.1-10+deb12u14).
wget is already the newest version (1.21.3-1+deb12u1).
jq is already the newest version (1.6-2.1+deb12u1).
bash is already the newest version (5.2.15-2+b9).
sudo is already the newest version (1.9.13p3-1+deb12u2).
nginx-full is already the newest version (1.22.1-9+deb12u3).
certbot is already the newest version (2.1.0-4).
python3-certbot-nginx is already the newest version (2.1.0-2).
sqlite3 is already the newest version (3.40.1-2+deb12u2).
ufw is already the newest version (0.36.2-1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Synchronizing state of nginx.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for katvpn.mooo.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: katvpn.mooo.com
Type: connection
Detail: 81.29.146.6: Fetching http://katvpn.mooo.com/.well-known/acme-challenge/B16N37SkmrzwBoNuvmAnZRJ6qpi1WjG78L6DQIuzoFY: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
katvpn.mooo.com SSL could not be generated! Check Domain/IP Or Enter new domain!

My web server is (include version): 81.29.146.6

The operating system my web server runs on is (include version): debian 12

My hosting provider, if applicable, is: rdp-onedash.ru

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): idk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0-4

Hi! I tried to make my own vpn for my family so i used this script i founded on youtube: GitHub - mozaroc/x-ui-pro: ⚛X-UI PRO nginx reverse proxy with WS/gRPC/HttpUpgrade/SplitHttp support,Xray protocol support: vless,vmess,trojan,shadowsocks xui panel Cloudflare auto SSL,XTLS-rprx,SSR,v2fly Bypass restrictions: socks5,v2ray-core installer,sing-box,shadowtls,reality,tunnel,GFW warp wireguard geoip tuic Clash VPN mihomo hy2 oneclick argo bbr anticensorship . Ufw on my server was disabled, but i specifecly enabled it and opened 80 port (and made inputing allow). It didnt help(((

From my experiences I find the above message is usually correct.

Its very strange because i opened 80 port for it and also when i used this script firewall was disabled

The --standalone authenticator is harder to test because it requires exclusive use of port 80 and only responds when it is running.

Below are my steps to help debug that. However, that is when running Certbot independently. I don't know what else that script you are using does. So, keep that in mind

===================================

The --standalone method is difficult to debug because you need to keep Certbot running to test connection from the public internet.

Probably the easiest way to test is with these command options:

certbot certonly --standalone --dry-run --debug-challenges -v -d (domain)

This command will show you the challenge URL to try from the public internet and the proper response. After showing you this it will say "Press Enter to Continue". DO NOT PRESS ENTER.

Leave it paused and use a different device to test connection. You can use a mobile phone with wifi disabled to use your carrier's network.

You do not have to use the full URL. Just try http://(domain)

If the connection works this shorter URL should see a response like below. I am pretty sure you will get a timeout error instead just like Let's Encrypt did. Repeat this as needed as you modify your comms setup until it works.

ACME client standalone challenge solver

Thank you all, i fixed that!!! It was my hosting firewall problem (not my server firewall), i wrote them and the fixed it.