Certbot Timeout - Possibly unique situation

Can't seem to get certbot http test working. My DNS provider is not compatible with the DNS test (Namecheap). I have forwarded all the ports on my router (80, 443), and opened them in my firewall (UFW).
Would appreciate any help.

My domain is: xmpp.burglabs.xyz

I ran this command:

sudo certbot certonly --standalone --test-cert

It produced this output:

Requesting a certificate for xmpp.burglabs.xyz

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: xmpp.burglabs.xyz
  Type:   connection
  Detail: Fetching http://xmpp.burglabs.xyz/.well-known/acme-challenge/-lCOat1jNHNPMqf6LZj32oE5Mpbf8pxuo15hQhJM_X4: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Prosody V-12
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
Ubuntu 21.10
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.25.0

1 Like

There probably is one more firewall you forgot or don't yet know about.

Your ISP? A missing port forwarding?


I'm guessing your ISP is blocking inbound port 80. That name is resolving to IP space owned by "Aussie Broadband", which I'm not particularly familiar with but their help pages say the residential connections have inbound ports 80 & 443 blocked. (I can't seem to directly link easily, but under "8. Tech Support" there's a "Port Blocking" section.)

In any event, one really needs to get one's site working publicly via HTTP before trying to get a certificate (at least with HTTP-01 challenges, which most people find easiest).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.