Error 400 while trying to add a subdomain to a certificate

hi people who are smarter then me

My domain is the subdomain im trying to add is

I ran the command

sudo certbot -d --expand

It produced this output

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Type: connection
Detail: [public ip address redacted] : Fetching Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is nginx version: nginx/1.22.1

The operating system my web server runs on is Arch linux Kernel: 6.0.12-arch1-1

I can login to a root shell on my machine
I'm Not using a control panel to manage my site
The version of my client is Certbot 2.3.0

the server that the subdomain points to is proxy passed from the nginx server to a jellyfin server
when visiting the subdomain in its current state it gives the error NET::ERR_CERT_COMMON_NAME_INVALID
(this is what im trying to fix)

Port 80 needs to be open for the nginx authenticator plugin to work, as it uses the http-01 challenge.

Previously you managed to get a wildcard certificate for *, which would also cover your subdomain Did something change in the mean time?


thanks for the fast reply
nothing had changed, i dont understand why the wildcard worked.
after allowing port 80 it worked adding the subdomain

maybe certbot should have " make sure port 80 points to this server " or somthing similar in the error message.

trying to access it is now saying too many redirects

1 Like

I'm pretty sure even novice users should be able to deduct the http:// scheme in combination with "timeout during connect" to port 80. Also, the error message itself is not from Certbot, but from the ACME server.

It seems you didn't --expand an existing certificate for actually, but issued a cert just for the subdomain: | 9166887715

I'm curious by the way: why would you redact the public IP address? Anyone can simply resolve your hostname to that IP address? What's the point in redacting?


i dont really understand how https and this sorta stuff works.
so now that the certificate for is expanded.
how do i get rid of the certificate i accidently made for
and how do i solve the too many redirects issue

for the public ip thing it just felt like the right thing to do im not very smart

You did not expand that existing certificate, but issued a new one just for the sofa subdomain. At least it doesn't show up on | and there seems to be no backlog currently on, so if you did issue an expanded cert, it should have shown up by now already.

If you're absolutely sure you don't need a certificate any longer, you can delete it. Please see the Certbot documentation about deleting certs here: User Guide — Certbot 2.6.0 documentation

That's a nginx issue and this is not a nginx support Community I'm afraid.


im sorry im really confused.
i think im just gonna remove all the certificates and start again after reading thru the documantation a bit more

thank u for ur time

That's very unnecessary and unnecessarily deleting certificates can lead to hitting rate limits, which could make you end up without any certificate at all and not able to issue a new one.

A good place to start is to check what you currently have in Certbot by running:

sudo certbot certificates

well it did say

Found the following certs:
Certificate Name:
Serial Number: 4f34cc214c0c9b6336b6e68e1dc56567a49
Key Type: ECDSA
Expiry Date: 2023-06-09 12:49:57+00:00 (VALID: 53 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Serial Number: 4fc157b3b3cf6c8e39efc309a75dcb96ed1
Key Type: ECDSA
Expiry Date: 2023-07-15 15:38:59+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

but i removed them before reading your reply so im back at square one

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.