Certbot "Some challenges have failed."

I have been trying to set up Nextcloud to work with my domain for the past two days now and haven't been able to figure it out. Any and all help is appreciated!

My domain is: cloud.715database.com

I ran this command: sudo certbot --apache -d cloud.715database.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for cloud.715database.com

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: cloud.715database.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for cloud.715database.com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for cloud.715database.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache 2.4.52

The operating system my web server runs on is (include version): Ubuntu Server 22.04

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I don't think I am, but I am using Google Domains and Google Cloud DNS to set up the DNS for the domain if that's what this means.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

Hello @danielandr, welcome to the Let's Encrypt community. :slightly_smiling_face:

Using Let's Debug here are the results for the HTTP-01 Challenge https://letsdebug.net/cloud.715database.com/1328480

You can read more here Challenge Types - Let's Encrypt and look for HTTP-01 challenge.


However 715database.com does have and DNS A Record and it's Let's Debug results https://letsdebug.net/715database.com/1328486 indicate HTTP Port 80 isn't open.

Best Practice - Keep Port 80 Open


By "open" do you mean that it should be allowed through my server's firewall? Because according to "sudo ufw status verbose", both ports 80 and 443 are allowed through the firewall.


Here is what I see from my location, all ports are "Filtered"

$ nmap -Pn 715database.com
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-08 17:11 PST
Nmap scan report for 715database.com (
Host is up.
rDNS record for
All 1000 scanned ports on 715database.com ( are filtered

Nmap done: 1 IP address (1 host up) scanned in 203.43 seconds

Using this online tool TCP Port Scanner, Online Port Scan, Port Scanning | IPVoid


I think I might understand what my issue is then. I used a Google VM instance to get an external IP to use for the A record for 715database.com and then deleted the VM instance immediately after getting the external IP. Did me deleting the VM instance cause this issue in the first place? And would keeping the VM instance up allow me to properly use certbot?

I don't know. I do know that if you want to use the HTTP-01 Challenge with a domain name, such as cloud.715database.com, that that domain name needs to resolve to an Internet accessible IP address and allow Port 80 through.

At this point kindly wait for more knowledgeable Let's Encrypt community volunteers to assist.


Alright, thank you for all the help you have provided so far.


In order to obtain a certificate via HTTP-01 authentication, you must first have a working HTTP site.
[or HTTP access to that system and run an ACME client as a web service]

The first step to having an HTTP web site accessed from the Internet is having an FQDN that resolves to an Internet accessible IP address.

This is not such an IP address:

Name:    cloud.715database.com

If I'm hosting Nextcloud on a home server build, would it be possible to somehow take the build IP address and turn it into an internet accessible IP address so that I would be able to access the Nextcloud page outside of my home network? I'm very new to web hosting so I originally assumed owning a domain and using something like Google Cloud DNS to point toward the builds IP would resolve this issue.

Yes, that is very common.
You would need to port forward HTTP/HTTPS from the router to the NextCloud server.
If your router doesn't have a static IP address, there are Dynamic DNS services that can be used to keep the IP updated automatically.

Internet connections must be made via Internet routable IPs.
So, you would have to update the Internet DNS zone with the Internet IP of the router.


Since you are using Google Cloud DNS (I think?), you also have the option to use the certbot-dns-google plugin, which will allow you to issue a certificate for a domain that doesn't have an external IP address.


Note: Even if you manage get a certificate indirectly, you will need to reach your home NextCloud from the Internet:

That requires global DNS to resolve your FQDN to an IP address that can be reached via the Internet.


How did you find that IPv4 Address?

This is all I found

$ nslookup
> set q=ns
> cloud.715database.com

Non-authoritative answer:
*** Can't find cloud.715database.com: No answer

Authoritative answers can be found from:
        origin = ns-cloud-d1.googledomains.com
        mail addr = cloud-dns-hostmaster.google.com
        serial = 30
        refresh = 21600
        retry = 3600
        expire = 259200
        minimum = 300
> server ns-cloud-d1.googledomains.com.
Default server: ns-cloud-d1.googledomains.com.
> cloud.715database.com
Server:         ns-cloud-d1.googledomains.com.

*** Can't find cloud.715database.com: No answer
1 Like

@Bruce5051 I get this right now:

nslookup cloud.715database.com

Or, Let's Debug helpfully describes private IP's (link here)

nslookup cloud.715database.com ns-cloud-d1.googledomains.com
Server:  ns-cloud-d1.googledomains.com
Address: 2001:4860:4802:32::6d#53
Name:    cloud.715database.com

Yet here, Let's Debug helpfully DID not describes private IP's https://letsdebug.net/cloud.715database.com/1328480 when I had first looked.

1 Like

And I get those results now.

$ nslookup cloud.715database.com ns-cloud-d1.googledomains.com
Server:         ns-cloud-d1.googledomains.com

Name:   cloud.715database.com


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.