Could not connect to .well-known


More than 30 days ago, I created the first LE certificates on some of my domains. Everything worked out great. Today I wanted to secure the missing domains with LE. I got this message:

I started the routine with:
sudo /opt/letsencrypt/letsencrypt-auto certonly --webroot --rsa-key-size 4096 -w /var/www/ -d -d

_ - The following errors were reported by the server:_

_ Domain: XYZ.de_
_ Type: connection_
_ Detail: Could not connect to url /.well-known_
_ /acme-challenge_

_ Domain:xyz_
_ Type: connection_
_ Detail: Could not connect to url/.well-_
_ known/acme-challenge_

_ To fix these errors, please make sure that your domain name was_
_ entered correctly and the DNS A record(s) for that domain_
_ contain(s) the right IP address. Additionally, please check that_
_ your computer has a publicly routable IP address and that no_
_ firewalls are preventing the server from communicating with the_
_ client. If you’re using the webroot plugin, you should also verify_
_ that you are serving files from the webroot path you provided._


Then I wanted to know if the renewal of the existing certificates works or fails with the same message. Fortunately for me, the renewal worked flawlessly.

Thaks in advance.


Can you verify that you’re able to manually browse to a file in
Try putting a file called test in there (with some random content) and make sure your browser is able to open it.


Please provide more information about the steps you’re following to produce this error.
Which client are you using to request certificates for Is some other server perhaps running on port 80 for that domain?


Yes. My Server is a multidomainserver.


I try:

sudo /opt/letsencrypt/letsencrypt-auto certonly --webroot --rsa-key-size 4096 -w /var/www/clients/client2/ -d -d



I’m using ISPconfig. And in the past all things does well


Please provide output of:
sudo netstat -plant | grep “:80”


tcp 0 0* LISTEN 7007/apache2
tcp 0 0* LISTEN 7007/apache2
tcp 0 0* LISTEN 7007/apache2
tcp 0 0 TIME_WAIT -
tcp 0 0 TIME_WAIT -
tcp 0 0 TIME_WAIT -
tcp 0 0 TIME_WAIT -
tcp 0 0 TIME_WAIT -
tcp 0 0 TIME_WAIT -
tcp 0 0 TIME_WAIT -
tcp 0 0 TIME_WAIT -


You’ve asked it to run the acme challenge on port 80 but your apache instance is already bound to 80 on all interfaces:
tcp 0 0* LISTEN 7007/apache2

Try stopping apache and then rerunning the command.


It doesn’t help. I am wondering because, when the apache isn’t working, LE is uanble to connect and verify the client.


@sleepypikachu: --webroot doesn’t bind to any port, it just puts challenge files in a directory. The existing web server (apache) is supposed to serve the challenge files.

@MikeFrizz: Take a look at my reply ( is your domain in this example):


D’oh. My bad, thanks for clearing that up.


I have a directory called .well-known only. There is no directory in there.


The client automatically deletes it afterwards. Try putting a test file in .well-known/acme-challenge and try browsing to it.


After I manually created a directory acme-challenge, I could display the contents of the file TEST in the browser.


Is one of the affected domains behind a firewall that blocks access from the public internet?

If you wouldn’t mind sharing the URL to your test file, that would probably help analyze the problem. Note that all domains you request a certificate for a published to Certificate Transparency log servers, so they are in some way already public anyway.




Looks good to me. Try running the client with -vvvv and paste the contents of /var/log/letsencrypt/letsencrypt.log here.


sudo /opt/letsencrypt/letsencrypt-auto certonly --webroot --rsa-key-size 4096 -w /var/www/clients/client2/ -d -d -vvvv


Sorry. Did not work.


Not sure I follow. What did the client return? What’s in your /var/log/letsencrypt/letsencrypt.log?