Certificate Authority failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot certonly --standalone

It produced this output:

Fetching http://example.com/.well-known/acme-challenge/23D9uZ5nC6zDTHxfY-IXMs4eINZkzgWFGYBlpuskJNg: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

My web server is (include version): IIS

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: Private Server

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.24.0

We are using a private web page that is only accessed between our internal offices using a Site To Site VPN and allowing an external vendor using Firewall ACL. The message I get when running Certbot is:

Fetching http://example.com/.well-known/acme-challenge/23D9uZ5nC6zDTHxfY-IXMs4eINZkzgWFGYBlpuskJNg: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.

So looking at the above message it looks like it is trying to communicate over port 80. I did a Packet Capture and I do not see any traffic going over port 80, only port 443 to IP 172.65.32.248. So I added a Firewall rule to allow this server to communicate to IP 172.65.32.248 over port 80 and 443 but I am still receiving the same error. I checked the log file and I see:

"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "XX.XX.XX.XX: Fetching http://example.com/.well-known/acme-challenge/sMYM6SfVEVVPAi1_9z8KI3Objrx3Sn-MNGNxou21ZFw: Timeout during connect (likely firewall problem)",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/117829159416/2q05sw",
"token": "sMYM6SfVEVVPAi1_9z8KI3Objrx3Sn-MNGNxou21ZFw",
"validationRecord": [
{
"url": "http://example.com/.well-known/acme-challenge/sMYM6SfVEVVPAi1_9z8KI3Objrx3Sn-MNGNxou21ZFw",
"hostname": "example.com",
"port": "80",
"addressesResolved": [

I also see:

2022-06-09 08:47:56,600:DEBUG:acme.client:Storing nonce: 0102dd37En-oliN7cXMUYgj3F_hDTdP5B2HGC-0o9utoyWg
2022-06-09 08:47:56,601:INFO:certbot._internal.auth_handler:Challenge failed for domain example.com
2022-06-09 08:47:56,601:INFO:certbot._internal.auth_handler:http-01 challenge for example.com
2022-06-09 08:47:56,602:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: example.com
Type: connection
Detail: XX.XX.XX.XX: Fetching http://example.com/.well-known/acme-challenge/sMYM6SfVEVVPAi1_9z8KI3Objrx3Sn-MNGNxou21ZFw: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet

So going by the log, it shows it is trying to communicate over port 80 but I do not see any packets using port 80 in the packet capture even after I allowed IP 172.65.32.248 port 80 and 443 in the Firewall ACL.

I am new to Lets Encrypt and Certbot so I appreciate the help. Thanks

Without a proper domain name there's not much help you can get, but

that's not going to change anything. That's probably a Cloudflare Spectrum IP address - Let's Encrypt isn't going to use that for outgoing connections. Let's Encrypt validates from multiple IP addresses, the exact IPs are not made public. You won't be able to complete a HTTP-01 challenge with a firewall not allowing general access to port 80.

Possible solutions include switching to the DNS-01 challenge, or smarter firewall configurations (which, for example, allow arbitrary access to the .well-known/acme-challenge HTTP path).

Ok thanks for the info.

Yeah for http challenges you need TCP port 80 open, in the case of certbot standalone that will also compete with IIS if that's listening on port 80.

Other windows based ACME clients like https://certifytheweb.com (which is the GUI I develop) and others like win-acme, Posh-ACME etc tend to use windows built in http listeners, so they can transparently work while IIS is running.

If you do decide you want to try DNS challenges instead (for instance, if your are using Cloudflare for DNS), Certify The Web has that built in and also has native support for adding/updating IIS bindings so you just start with one or more normal http bindings in IIS (with the hostname set to your domain), then the app can pick that up and you click "Request Certificate" to get the cert, from then on the renewals are automatic.

Thanks I wanted to try leaving port 80 open but I don't know Lets Encrypt IP addresses and it looks like they don't make them available from the previous user's response. So we would need to open this web page to the internet, which isn't necessary other than to use Lets Encrypt. I will try Certify The Web and see how that works. Thanks

There's nothing wrong with keeping port 80 open. Please see Best Practice - Keep Port 80 Open - Let's Encrypt

Note that this would also be required with CertifyTheWeb which @webprofusion was spamming about.

It's a valid alternative solution which can port share with IIS (certbot cannot) and results in a working https cert configured within IIS (which certbot will not directly provide). It's also trivial to switch authorization over DNS using cloudflare etc, whereas certbot requires an additional plugin.

http-01 with port sharing wouldn't help if there is a firewall blocking port 80.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.