Challenge invalid: Timeout, status 400 - but access_log shows status 200

renewing my certificate wasn’t an issue up to now. But today, the renewal shows an error.
Method: http-01
"status": “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “Fetching Timeout”,
“status”: 400

The apache access log shows: - - [30/Nov/2017:21:46:00 +0100] "GET /.well-known/acme-challenge/tYa9u5rqyM8yYwUBAXCqeh_WNqzV41oXU23LbRSCkaM HTTP/1.1" 200 354 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +"

So I see, the webserver is accessible, the challenge was created and accessed by letsencrypt. I checked with Wireshark, it’s the correct file sent out. Seems to be no firewall or DNS issue. There is no AAAA record, A only.

Thank you,


Is it possible the request deadline of 5 seconds was exceeded in this one instance, perhaps due to an intermittent network issue?

Does the renewal continue to fail if invoked manually?

Additionally, Let’s Encrypt connects from multiple sources to increase the barrier for malicious issuance by attackers who are able to modify network routes from some locations. It’s possible something is blocking one of these other attempts.

If you would completely fill out the questionnaire presented when you created this topic, it would help us provide better support. At a minimum, knowing your real domain name and a bit about your infrastructure (e.g. behind Cloudflare, VPS on some hosting provider, your own hardware) would help us greatly. Without that, we’re just wasting your time and ours stabbing in the dark.

Thank you for your support. There is no questionnaire presented when I create a topic. So I do not know which details could be important or helpful.
Edit: Additionaly tested to deactivate iptables at all, renewal was successful. There are four IP addresses attempting to connect to my server. Three of them were blocked by iptables.

Thank you for your support again,


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.