Certbot failed to authenticate some domains

Hi, I just got my first domain and tried to get a certificate for it but I am getting the following error:

My domain is: liordev.online

I ran this command: sudo certbot --nginx -d liordev.online -d www.liordev.online

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for liordev.online and www.liordev.online

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: liordev.online
Type: connection
Detail: Fetching http://liordev.online/.well-known/acme-challenge/eNIoBKPZea_t0sCvO0ZHrJ_mxAeoumjIuaBRW6oIcy8: Timeout during connect (likely firewall problem)

Domain: www.liordev.online
Type: connection
Detail: Fetching http://www.liordev.online/.well-known/acme-challenge/nyoJ1_VO2aF9aMpZs4xTCpa4umA2SBKn5ZDPjEgdG88: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu server 22.04.02 LTS

My hosting provider, if applicable, is: Partner Communications

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.3.0

Your website at IP address is unreachable from the public internet, using HTTP on port 80 as well as using HTTPS on port 443.

Please make sure your website is reachable when using the http-01 challenge (which is the only challenge the --nginx authenticator plugin can do).


Supplemental here are (is) the only accessible (but closed) ports.

$ nmap -Pn liordev.online
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-26 12:22 PST
Nmap scan report for liordev.online (
Host is up (0.23s latency).
rDNS record for IGLD-83-130-236-22.inter.net.il
Not shown: 999 filtered ports
22/tcp closed ssh

Nmap done: 1 IP address (1 host up) scanned in 27.58 seconds

As @Osiris said HTTP-01 challenge of the Challenge Types - Let's Encrypt
needs Port 80 open and accessible.
Best Practice - Keep Port 80 Open

And to assist with debugging there is a great place to start is Let's Debug.


@Bruce5051 @Osiris
Thank you for your help. I opened port 80 and port 443 before opening the server. This is my router configuration for port forwarding. source is my public IP and the destination is the private IP of my server.

I also opened port 80 and 443 in my ubuntu server. Did I miss anything?


What about possibly the router's firewall?
Or possibly in a geographic location that has a Great Firewall?


Probably, but I don't know why. I just know everything on port 80 and 443 needs to be open, I'm afraid you're the only one who can do that. It might even be that your ISP is blocking access.


Here are a couple of online tools to help check from a location(s) on the Internet (i.e. not your local LAN)


Can you run one or both of theses and share the output?
curl https://ifconfig.co/
curl https://ifconfig.io/


I checked if my router has a firewall but could not find it so I am not sure about this. In IPVoid the public IP of the server shows that port 80 and 443 is "Filtered"
Well unless I need to put something else in the source IP I don't know if is there anything else I can open. This is my DNS settings in hostinger. Is there anything faulty here?

1 Like

both show

1 Like

And that is what we've got to get corrected. :slight_smile:


"Filtered" is the opposite of "open".

And no, unless you've entered the incorrect IP address, your DNS settings aren't the issue.


Thank you; so we know we are dealing with the correct IPv4 Address.


@Bruce5051 @Osiris
So the problem lies in my ISP/router port forwarding settings/firewall?

1 Like

Impossible to tell by us I'm afraid. Could be anywhere in your network or your ISPs.


Okay I understand I will check with my ISP tomorrow for a solution thanks again both of you for the help! have a good evening @Bruce5051 @Osiris


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.