Connection Timeout when renewing

My domain is:

Trying to renew throws a 400 error:

But the access log clearly shows that the challenge file was accessed: - - [14/Mar/2022:16:11:35 +0100] "GET /.well-known/acme-challenge/E1Sc49QMYsmfV_JO5R8i_s-Kn6PDDopWc0Cf0lZmnG0 HTTP/1.1" 200 89

I can also download the challenge file from the given location manually from an outside network without a problem.

Any idea what goes wrong?

Does your firewall filter connections from the rest of the world?

(Have you tried running your command again, maybe using the staging environment?)


I tried several times. The manual download works from different countries. There is no proxy in place somewhere inbetween.

There should be 4 requests.


Interesting. I can only see one from the shown IP address. Why could the other three have a problem with the same server?

1 Like

Could be regional differences, such as regional firewalls.


Most likely. The one seen in the log was from an LE Germany server and should also see up to 3 US based LE servers.

Less likely a "smart" firewall blocking multiple identical requests from different locations.
Like a very sensitive ddos prevention.


I have forwarded this information to the IT department. Thanks.


IT came back saying that they have a regional block for the US. Is there any official documentation which Lets Encrypt server IP addresses must be allowed for validation?

The official documentation explicitly tells you that they won't tell you the IP addresses for the validation bots. They are hosted on several cloud providers and might change without prior warning.

Right now, there should be four (might change) of which three (might change) are in the US (might change) and one (might change) is in Europe (not sure if NL or DE) (might change).

If you want to block http from the US, but you can keep your DNS nameservers reachable, you can use the dns-01 validation method instead.


Thank you. I probably missed this in the docs.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.