Challenge failed for domain

Hi Let's Encrypt experts,

I have tried to renew my certificate, the way I have done it many times every three months, using [certbot --force-renewal] (if there is a better way, pls let me know). This time, for the first time, I got the [Challenge failed for domain] error message and I have no idea why and what to do. The server is remote and the people there are not able to help, so far. Can someone offer me some advice and point me in the right direction? Any help is much appreciated! Thanks!

My domain is:

I ran this command:

certbot --force-renewal

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1):

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Renewing an existing certificate for and
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Waiting for verification...
Challenge failed for domain
Challenge failed for domain
http-01 challenge for
http-01 challenge for
Cleaning up challenges
Some challenges have failed.

 - The following errors were reported by the server:

   Type:   connection
   Detail: Fetching
   Connection refused

   Type:   connection
   Detail: Fetching
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

It seems like something is preventing LE from reaching your server on port 80:


So it must be on the server side, right?

Please don't use this option if you don't know what it actually is for.

1 Like

Most likely, yes.
But it could also be your ISP or your country blocking it.


That's why I wrote, "if there is a better way, pls let me know".

What should I use instead?

I can reach it:

curl -Ii
HTTP/1.1 301 Moved Permanently
Date: Fri, 01 Sep 2023 05:16:09 GMT
Server: Apache/2.4.54 (codeit) OpenSSL/1.1.1q+quic PHP/7.4.33
Content-Type: text/html; charset=iso-8859-1

But LE can't.
And Let's Debug also can't:
Let's Debug (


certbot renew

[which should be run twice a day via a scheduled job/task]


I can also reach your domain and even tested from several locations around the world and they all worked. I also tried with the same "user-agent" string as Let's Encrypt as the Palo Alto brand of firewall might block those requests. But, those tests also worked so it is not that.

It looks more like an IP based firewall blocking Let's Encrypt and the Let's Debug IP addresses.


Server people say ports 22 and 80 are open, no IP's get blocked. No idea what to do.

Can you check logs for right around the time of a test using Let's Debug? See if your server can see the connection being refused somehow?

(I'm not sure what logs to suggest looking at, since "connection refused" is more often OS-level rather than application-level... you might need to run something like tcpdump on the server!)


ERROR has an A (IPv4) record ( but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

What could be the reason why the request did not succeed, if it's not an IP based firewall blocking LE?

I can think of a few other possibilities:

  • Routing tables mishaps
  • Geo-location blocks
  • IPS signature blocks
  • The Great [Fire] Wall type blocks

OK, some progress. Looks fine in the backend.

Successfully received certificate.
Certificate is saved at: /etc/ssl-com/live/
Key is saved at:         /etc/ssl-com/live/
This certificate expires on 2023-12-20.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for to /etc/httpd/conf.d/travelintaiwan-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on

But in the browsers it's not accepted it seems. Is there a waiting period?

As you can see, I used (SSL Dragon), not sure if that is a competitor to Let's Encrypt? I hope this has not disqualified me from asking questions here. I just want to get this to work. Will be happy to use whatever provider. Tks, guys!

Just use certbot renew daily. It won't renew if it's not due for renewal.

"Travel in Taiwan": I can definitely imagine a Great Firewall block.

Do you control your DNS entries? It may be simpler to set up a DNS challenge.

It's not IN your HTTP configuration. Certificate chains are specified at the server. It's not that the browser is not "accepting" the new, it's just that you haven't restarted your HTTP server, so the new certs aren't being sent. In my experience, on self-hosted systems, certbot does that, but perhaps it can't in your configuration.

What shows?:
sudo apachectl -t -D DUMP_VHOSTS


Here it is

[ABC]# sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server (/etc/httpd/conf.d/ssl.conf:58)
         port 443 namevhost (/etc/httpd/conf.d/ssl.conf:58)
         port 443 namevhost (/etc/httpd/conf.d/travelintaiwan-le-ssl.conf:2)
*:80          (/etc/httpd/conf.d/travelintaiwan.conf:1)

Anything you can see in there?

Isn't that more of a "PRC" issue? (Although, Asia is funny like that. You never know.)