Certificate Authority Can't Reach Server

WindFreaker · May 17, 2025, 4:26am

My domain is: immich.windfreaker.dev

I ran this command: sudo certbot --nginx -d immich.windfreaker.dev -v

It produced this output:

...
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: immich.windfreaker.dev
  Type:   connection
  Detail: 2600:8807:a740:312:aee2:a9ed:ae30:6343: Fetching http://immich.windfreaker.dev/.well-known/acme-challenge/mU5ZPjLEy26lihZ6qCMG1bwSEnmHJg_tEDLGOyQ0Gx0: Timeout during connect (likely firewall problem)
...

My web server is (include version): nginx/1.22.1

The operating system my web server runs on is (include version): Debian GNU/Linux 12 (bookworm)

My hosting provider, if applicable, is: Cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 4.0.0

I am having supposed firewall problems with my new Immich server. When I watch the nginx access logs, my server is not reached externally during any part of the certificating process that certbot starts. However, I have both ports 80 and 443 fully open and a ping from any of my own devices (regardless of network, behind a VPN, etc.) can reach the bot-created /.well-known/acme-challenge/... URL with absolutely no issues.

orangepizza · May 17, 2025, 7:36am

While .dev have hsts preloaded by browser, http validation method doesn't allow to start from https so you need to listen on port 80 to reply validation traffic

WindFreaker · May 17, 2025, 7:51am

I'm sorry I don't know what hsts is. My server is listening on port 80 already, do I need to change something else to reply to validation traffic?

Osiris · May 17, 2025, 7:54am

Your host is IPv6 only, is that correct? I don't see an A RR, just AAAA. And it's not working from my endpoint too. 80 nor 443.

WindFreaker · May 17, 2025, 7:55am

I am choosing to only support IPv6 for my own sanity.

WindFreaker · May 17, 2025, 8:16am

I have gone ahead and had another attempt, this time running sudo certbot certonly --manual and implementing the request myself. I tested on both my local machine and my phone on a VPN, both successfully received the token. However I still get a timeout during connect (likely firewall problem) from the certificate authority.

WindFreaker · May 17, 2025, 8:33am

Port 80 is being blocked by my ISP and my ability to connect even over a VPN is because I don't know how IPv6 works well enough.

system · June 16, 2025, 8:34am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet Help	12	1770	November 28, 2022
Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems: Help	8	12641	October 2, 2021
Certbot failed to authenticate: problems type connection. Time out. Ensure pointing to nginx server and access Help	5	539	March 20, 2024
Could not issue certificate using certbot, authorization error Help	7	607	November 12, 2022
The certificate authority failed to verify the temporary nginx configuration changes made by certbot ensure the listed domains point to this nginx server and that it is accessible from the internet Help	2	564	August 20, 2022

Certificate Authority Can't Reach Server

Related topics