Connection refused [BadRequest :: urn:ietf:params:acme:error:connection]

Hi there,

We are receiving this error:
2025-04-10 10:49:21.378 -06:00 [INF] Submitting challenge for validation: REDACTEDDOMAIN http://REDACTEDDOMAIN/.well-known/acme-challenge/vGFM4O8sKCqrKlxoPw28Bvrxw6Ks0m4dB8lPED6_Rbc
2025-04-10 10:49:25.766 -06:00 [ERR] [Progress] Validation failed: REDACTEDDOMAIN
Response from Certificate Authority: During secondary validation: IP ADDRESS Fetching http://REDACTEDDOMAIN/.well-known/acme-challenge/vGFM4O8sKCqrKlxoPw28Bvrxw6Ks0m4dB8lPED6_Rbc: Connection refused [BadRequest :: urn:ietf:params:acme:error:connection]
2025-04-10 10:49:25.988 -06:00 [ERR] Validation of the required challenges did not complete successfully. Validation failed: REDACTEDDOMAIN
Response from Certificate Authority: During secondary validation: IP ADDRESS: Fetching http://REDACTEDDOMAIN/.well-known/acme-challenge/vGFM4O8sKCqrKlxoPw28Bvrxw6Ks0m4dB8lPED6_Rbc: Connection refused [BadRequest :: urn:ietf:params:acme:error:connection]

I did make a test.html file in the C:\inetpub\wwwroot.well-known\acme-challenge path and confirmed I could access from https:///REDACTEDDOMAIN/.well-known/acme-challenge/test.html

Any ideas would be nice. We are on 6.1.5.0

Of what exactly? Please realise not everyone on this Community is psychic.

When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it (and make our life a lot harder). In any case, all the answers to this questionnaire are required:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

This is Certify Certificate Manager 6.1.5.0 aka Certify the web.
For the domain, due to our policies, we must keep it redacted.

We are using IIS.

Well, without knowing your domain name, it's hard for people to tell you more than what the error message posted already says: From some locations, the connection to validate that you control the domain name is failing with a "connection refused" error. The "secondary validation" part of the message means that it could connect from a primary datacenter.

The most common case is a firewall that's set up to block from some parts of the world but not others. This FAQ may help explain what's going on there:

If you're willing to post your domain name into online tools, even though you're not willing to post it here, then you may want to look at the tools listed in that post to try connecting to your site from various places around the world.

Hi Peter,

Thanks for the resource. I did use the Let's Debug tool to identify what I believe is most likely the issue.

Thanks.