Certbot nginx challenge times out

Help
1

My domain is: verbeeten.dev

I ran this command: sudo certbot --nginx --debug-challenges -d verbeeten.dev -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for verbeeten.dev
Performing the following challenges:
http-01 challenge for Identifier(typ=IdentifierType(dns), value='verbeeten.dev')

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://verbeeten.dev/.well-known/acme-challenge/Hdnd5PUBFsARmuP0mPJ_ktcVMF9pcVYUQhsNEGihM_M
Expected value:
Hdnd5PUBFsARmuP0mPJ_ktcVMF9pcVYUQhsNEGihM_M.ducZW5kcU4RnhJQCDt4CPFUdsh99vejPpMUWRNhShTo
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue
Waiting for verification...
Challenge failed for domain verbeeten.dev
http-01 challenge for Identifier(typ=IdentifierType(dns), value='verbeeten.dev')

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Identifier: verbeeten.dev
  Type:   connection
  Detail: 220.235.175.49: Fetching http://verbeeten.dev/.well-known/acme-challenge/Hdnd5PUBFsARmuP0mPJ_ktcVMF9pcVYUQhsNEGihM_M: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.24.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 24.04.4 LTS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 5.5.0

Curl returns the site and I can browse to it when i manually install a certificate, but certbot can't complete the challenge for some reason.

curl http://verbeeten.dev
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

I do have a firewall in place, but the IP of my web server is allowed all traffic in and out.

2

That's not what it looks like from here.

5 Likes
3

I do have a suspicion that it's the firewall, but I can't see how when curl and all other tests to the server work

4

Note: I've had it working with a manually generated cert, manually applied to nginx and was able to browse the site fine

5

Are those from the public internet? Or just your local network?

Because the Let's Encrypt validation servers send the HTTP requests from the public internet to you. The link @petercooperjr provided showed testing from various places around the globe and none worked.

4 Likes
6

Public. The domain name resolves to my public IP when pinged

7

But this is what I see with nmap from Oregon USA

$ nmap -Pn -p80,443 verbeeten.dev
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-04-08 22:50 UTC
Nmap scan report for verbeeten.dev (220.235.175.49)
Host is up.
rDNS record for 220.235.175.49: 220-235-175-49.tpgi.com.au

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.55 seconds
4 Likes
8

Sure, your IP may be your public IP but are you initiating those curl from inside your own local network or from the public internet? Because I haven't seen anything reach you from outside.

Requests from outside may be running through a firewall and your tests not - maybe?

Also see:

3 Likes
9

That's good to work with. I'll try to get the server on a DMZ through my firewall and test again later.
I can play around with that and the firewall to get a result.
Thanks

2 Likes