Certbot renewal fails with "Time out during connect (likely firewall problem)" warning

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lawlec.korea.ac.kr

I ran this command: certbot renew

It produced this output:
2025-11-12 09:53:31,958:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/1196656447/611509808046 HTTP/1.1" 200 1081
2025-11-12 09:53:31,959:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 12 Nov 2025 00:53:31 GMT
Content-Type: application/json
Content-Length: 1081
Connection: keep-alive
Boulder-Requester: 1196656447
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 9cWC3FLMELUTI_tQ6BDDbL1szktgvMdVOEwPmIIWwdWvW901YyU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "lawlec.korea.ac.kr"
},
"status": "invalid",
"expires": "2025-11-19T00:53:13Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/1196656447/611509808046/8vfWYQ",
"status": "invalid",
"validated": "2025-11-12T00:53:17Z",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "163.152.93.105: Fetching http://lawlec.korea.ac.kr/.well-known/acme-challenge/K7z9ZQ72GcFSYHSpWRRVUK1GhovUzonZQsehjapUwd8: Timeout during connect (likely firewall problem)",
"status": 400
},
"token": "K7z9ZQ72GcFSYHSpWRRVUK1GhovUzonZQsehjapUwd8",
"validationRecord": [
{
"url": "http://lawlec.korea.ac.kr/.well-known/acme-challenge/K7z9ZQ72GcFSYHSpWRRVUK1GhovUzonZQsehjapUwd8",
"hostname": "lawlec.korea.ac.kr",
"port": "80",
"addressesResolved": [
"163.152.93.105"
],
"addressUsed": "163.152.93.105"
}
]
}
]
}
2025-11-12 09:53:31,960:DEBUG:acme.client:Storing nonce: 9cWC3FLMELUTI_tQ6BDDbL1szktgvMdVOEwPmIIWwdWvW901YyU
2025-11-12 09:53:31,961:INFO:certbot._internal.auth_handler:Challenge failed for domain lawlec.korea.ac.kr
2025-11-12 09:53:31,962:INFO:certbot._internal.auth_handler:http-01 challenge for lawlec.korea.ac.kr
2025-11-12 09:53:31,962:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: lawlec.korea.ac.kr
Type: connection
Detail: 163.152.93.105: Fetching http://lawlec.korea.ac.kr/.well-known/acme-challenge/K7z9ZQ72GcFSYHSpWRRVUK1GhovUzonZQsehjapUwd8: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 5.1.0

The web server that responds is Server: Apache/2.4.52 (Ubuntu) but you are running certbot in nginx mode, so the challenge response will likely be being written to the wrong place (the nginx web server files etc).

From what I see, the server appears to be nginx in the posted error, but Apache mode is being used. That doesn't explain the timeout though.

The nginx server replies are the ones from Let's Encrypt's servers.

If we saw the beginning of the log we could tell what the command was.

A timeout error doesn't return anything from their server so we can't draw any conclusions.

That said, Let's Debug does not timeout yet they still don't have a new certificate.

@youknowit2 Since your last good cert about 3 months ago have you added any kind of firewall?

We can see in the log that the Apache plugin was used.

That's an interesting observation. I'm glad you checked that. Maybe changes have been made since OP?

Thanks for your replies. It has been fixed. The maintainer for korea.ac.kr domain recently changed their firewall policy. They have now been informed of the problem and modified their firewall policy to accept port 80 connection request from acme-v02.api.letsencrypt.org host. Now everything works fine.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.