Certbot failed to authenticate some domains. Timeout during connect (likely firewall problem)

raphael10-collab · November 21, 2025, 4:12pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: zlmedia.grasp.deals

I ran this command:
raphy@raohy:~$ sudo certbot --nginx -d zlmedia.grasp.deals -d www.zlmedia.grasp.deals
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for zlmedia.grasp.deals and www.zlmedia.grasp.deals

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: zlmedia.grasp.deals
  Type:   connection
  Detail: aa.aa.aaa.aa Fetching http://zlmedia.grasp.deals/.well-known/acme-challenge/hzEtwSgJk_B1Gk83dtRk6yX1pEfN8ezjpmKtbDUis1o: Timeout during connect (likely firewall problem)

  Domain: www.zlmedia.grasp.deals
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for www.zlmedia.grasp.deals - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.zlmedia.grasp.deals - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

nginx :

raphy@raohy:~$ sudo systemctl status nginx
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; preset: enabled)
     Active: active (running) since Fri 2025-11-21 15:55:04 CET; 1h 14min ago
       Docs: man:nginx(8)
    Process: 152868 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, st>
   Main PID: 145368 (nginx)
      Tasks: 9 (limit: 38346)
     Memory: 6.6M (peak: 14.6M)
        CPU: 291ms
     CGroup: /system.slice/nginx.service
             ├─145368 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
             ├─153261 "nginx: worker process"
             ├─153262 "nginx: worker process"
             ├─153263 "nginx: worker process"
             ├─153264 "nginx: worker process"
             ├─153265 "nginx: worker process"
             ├─153266 "nginx: worker process"
             ├─153267 "nginx: worker process"
             └─153268 "nginx: worker process"

nov 21 15:55:04 raohy systemd[1]: Starting nginx.service - A high performance web server and a reverse pro>
nov 21 15:55:04 raohy systemd[1]: Started nginx.service - A high performance web server and a reverse prox>
nov 21 16:31:53 raohy systemd[1]: Reloading nginx.service - A high performance web server and a reverse pr>
nov 21 16:31:53 raohy nginx[150831]: 2025/11/21 16:31:53 [notice] 150831#150831: signal process started
nov 21 16:31:53 raohy systemd[1]: Reloaded nginx.service - A high performance web server and a reverse pro>
nov 21 16:52:05 raohy systemd[1]: Reloading nginx.service - A high performance web server and a reverse pr>
nov 21 16:52:05 raohy systemd[1]: Reloaded nginx.service - A high performance web server and a reverse pro>
nov 21 16:52:05 raohy nginx[152868]: 2025/11/21 16:52:05 [notice] 152868#152868: signal process started

raphy@raohy:~$ sudo nano /etc/nginx/sites-available/zlmedia.grasp.deals :

server {
        listen 80;
        listen [::]:80;

        server_name zlmedia.grasp.deals;

        root /var/www/zlmedia.grasp.deals;
        index index.html;

        location / {
                try_files $uri $uri/ =404;
        }
}


raphy@raohy:~$ ls -lah /etc/nginx/sites-enabled/ | grep zl
lrwxrwxrwx 1 root root   46 nov 21 16:51 zlmedia.grasp.deals -> /etc/nginx/sites-available/zlmedia.grasp.deals

My web server is: nginx version: nginx/1.24.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 24.04

I can login to a root shell on my machine: yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

raphy@raohy:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
6443/tcp                   ALLOW       Anywhere                  
10250/tcp                  ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
Nginx Full                 ALLOW       Anywhere                  
6443/tcp (v6)              ALLOW       Anywhere (v6)             
10250/tcp (v6)             ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
Nginx Full (v6)            ALLOW       Anywhere (v6)

What am I doing wrong and/or missing? How to make it work?

Bruce5051 · November 21, 2025, 4:57pm

Hello @raphael10-collab, welcome back.

Using the online tool Let's Debug yields these results

For zlmedia.grasp.deals - https://letsdebug.net/zlmedia.grasp.deals/2628688

And for www.zlmedia.grasp.deals - https://letsdebug.net/www.zlmedia.grasp.deals/2628687

There are different error for www.zlmedia.grasp.deals there simply is no IP Address.

And for zlmedia.grasp.deals Ports 80 & 443 are filtered meaning that from the Public Internet the site is not accessible.
Best Practice - Keep Port 80 Open

$ nmap -Pn -p80,443 zlmedia.grasp.deals
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-21 09:00 PST
Nmap scan report for zlmedia.grasp.deals (81.56.45.51)
Host is up.
rDNS record for 81.56.45.51: bny92-3_migr-81-56-45-51.fbx.proxad.net

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 5.07 seconds

raphael10-collab · November 21, 2025, 5:19pm

Hi @Bruce5051 . Thank you for helping out.

I guess I have to open the ports on the ISP side

Bruce5051 · November 21, 2025, 5:37pm

Basically yes; but it could also be your router or firewall(s) if the machine is on your premises.

And add DNS IP Address Record(s) (i.e. A Record for IPv4 and AAAA Record for IPv6, you can have both but only one is needed for the HTTP-01 challenge) for www.zlmedia.grasp.deal if you wish to use that name too.

Topic		Replies	Views
Certbot failed to authenticate some domains (authenticator: nginx) Timeout during connect (likely firewall problem) Help	12	2484	November 6, 2023
Certbot failed to authenticate some domains (authenticator: nginx) Help	7	537	March 11, 2024
Certbot failed to authenticate some domains Help	16	448	May 12, 2024
Certbot failed to authenticate some domains Help	16	511	March 28, 2023
Certbot --nginx not working Help	3	417	September 26, 2023

Certbot failed to authenticate some domains. Timeout during connect (likely firewall problem)

Related topics