Challenge did not pass (status 400) UCS 5 Univention

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

It produced this output: Do 26. Jan 12:28:33 CET 2023
Refreshing certificate for following domains:
Parsing account key...
Parsing CSR...
Found domains: nextcloud.flg..
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying nextcloud.flg.....
Traceback (most recent call last):
File "/usr/share/univention-letsencrypt/", line 198, in
File "/usr/share/univention-letsencrypt/", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER,, disable_check=args.disable_check, directory_url=args.directory_url,
File "/usr/share/univention-letsencrypt/", line 149, in get_crt
raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for nextcloud.flg......: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://nextcloud.flg..../.well-known/acme-challenge/Nh9SdSW6h4bZg2ZNClg_ZRaRBYkV4p2Pv7vOrPRYG38', u'hostname': u'nextcloud.flg.....', u'addressUsed': u'93.238....', u'port': u'80', u'addressesResolved': [u'93.238....']}], u'url': u'', u'token': u'Nh9SdSW6h4bZg2ZNClg_ZRaRBYkV4p2Pv7vOrPRYG38', u'error': {u'status': 400, u'type': u'urn:ietf:params:acme:error:connection', u'detail': u'93.238....: Fetching http://nextcloud...../.well-known/acme-challenge/Nh9SdSW6h4bZg2ZNClg_ZRaRBYkV4p2Pv7vOrPRYG38: Timeout during connect (likely firewall problem)'}, u'validated': u'2023-01-26T11:28:19Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'nextcloud.flg....'}, u'expires': u'2023-02-02T11:28:17Z'}

My web server is (include version): Apache

The operating system my web server runs on is (include version): Linux Ubuntu

My hosting provider, if applicable, is: Vodafone

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Univention/Letsencrypt Version 2.0.0-2 (UCS 5)

Is showing

Oops! No nameservers found.

We tried to query nextcloud.flg for NS records (your nameservers), but couldn't find any. Does the domain you've added have any NS records?

I´m sorry.. My domain is:


And this is what is shown for that domain name

DNS report for
Oops! No nameservers found.

We tried to query for NS records (your nameservers), but couldn't find any. Does the domain you've added have any NS records?

Or are they on a domain higher up the chain?

Go ahead, scan a new domain for its DNS records.

1 Like

Yet in the past certificates have been issued, here is a list |


And the top shows this

Query results for CAA

;; opcode: QUERY, status: NOERROR, id: 53417
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0



;; AUTHORITY SECTION:	0	IN	SOA 1676483148 600 300 604800 600

----- Unbound logs -----
Jan 26 16:03:22 unbound[58841:0] notice: init module 0: validator
Jan 26 16:03:22 unbound[58841:0] notice: init module 1: iterator
Jan 26 16:03:22 unbound[58841:0] info: start of service (unbound 1.16.3).
1 Like

Let's Debug for the HTTP-01 Challenge has 2 ERRORs results here

The HTTP-01 Challenge needs Port 80
Best Practice - Keep Port 80 Open


How can we solve this? In the past we haven´t no Problem with Certificate issue... we have a pfsense firewall and Ports 80 and 443 are forwarded to the Nexcloud VM. Is the Problem with our NO public IP Adress?

By having your host reachable by port 80 (and depending on a redirect also on port 443).

That's not something we can tell, but is something for you to investigate and find out unfortunately.

First have a working website and then try again.


The system only has Port 443 open; if you desire to use TLS-ALPN-01 challenge then that could work. :neutral_face:

$ nmap -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( ) at 2023-02-01 09:59 PST
Stats: 0:04:01 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 74.97% done; ETC: 10:04 (0:01:20 remaining)
Nmap scan report for (
Host is up (0.18s latency).
rDNS record for
Not shown: 635 closed ports, 364 filtered ports
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 360.51 seconds
1 Like

We have both ports open (see marker).. We don´t understand where is the Problem.. Maybe has Letsencrypt a Problem with our Domain name?

Why do I get a different IP?:


We don´t have a public IP we use Dyndns..

You may not have a static/reserved IP. but you must have a public IP.

Why does your screenshot show IP:
While mine shows IP:

Can you retest now, at this new IP?


Both ports are open

That's not what I see from the U.S.

HTTP fails:

curl -Ii
curl: (56) Recv failure: Connection reset by peer

curl -Ii
curl: (56) Recv failure: Connection reset by peer

HTTPS works:

curl -Iik
HTTP/1.1 302 Found
Date: Thu, 09 Feb 2023 09:45:23 GMT
Server: Apache/2.4.38 (Univention)
Content-Type: text/html; charset=iso-8859-1

Here is an online tool this takes a Host Name or IP Address
to check HTTPS enter the URL with HTTPS and hit the HTTP button
to check from around the world your

Here is an online tool TCP Port Scanner, Online Port Scan, Port Scanning | IPVoid
It requires an IP Address to scan (no domain names).
This will allow you to see how the public side of the Internet views your IP Address

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.