Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for XXX.sn.mynetname.net
Performing the following challenges:
http-01 challenge for XXX.sn.mynetname.net
Waiting for verification...
Challenge failed for domain XXX.sn.mynetname.net
http-01 challenge for XXX.sn.mynetname.net
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: XXX.sn.mynetname.net
Type: connection
Detail: During secondary validation: 11.11.11.11: Fetching http://XXX.sn.mynetname.net/.well-known/acme-challenge/egSYsxxwILq9c_AB26Fp9z3qBPKL1QPwGSMagwspeCg: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Cleaning up challenges
My web server is (include version): Debian 12
I can login to a root shell on my machine (yes or no, or I don't know): yes, own server
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 5.2.2
I'm not quite sure what your topic title has to do with the content of your message. But your site has to be accessible over http on port 80 before you can get a certificate for it.
HTTP requests using your domain name fail though. The name resolves to the same IP so something else on your end must not like something about it. These are the kinds of requests that Let's Encrypt server is ending to you to validate your domain
Is nginx still running? Because debugging --standalone takes a special sequence of commands. Which of these do you want to debug?
We only needed to see the output from Certbot which said the same as your first post. Namely, that "Secondary validation" failed.
Let's Encrypt currently has 5 validation centers around the world. The primary center in the US must succeed. Then the remaining 4 secondary centers try to validate. At least 4 of the total 5 must succeed before issuing the cert. Because the error says "secondary" we know the primary succeeded but 2 or more of the secondary failed.
Usually this is some sort of geographic based firewall at your center. But, that kind of firewall wasn't obvious from the results of that test site earlier.
What other kinds of firewalls do you have? Anything that blocks by IP or IP ranges?
It can be helpful to review your nginx access log after a failed request. It would be interesting to know how many of the http requests arrived.
Please just post data directly in this forum. It is easier for us to work with. My sandboxed server is isolated from my normal machine, for example.
From your latest log. You should have seen this same info on your terminal from Certbot
Thank you Mike! Now I know there to dig) As the Certbot says, it's a firewall or routing issue. I see some incoming connection that are stuck in a half open state.
