Fail to recreate certificates for subdomains, domain had connectivity issues

Hello, community, I'm out of guesses of how to solve it on my own, so I really hope that I can get some help from you

I have tried to renew certificates (renewal wasn't needed) after which I have tried to recreate the entire deployment (docker-compose setup with nginx and certbot - after initial failed attempt with
--force-renewal option, I have continued with --staging option), however certbot is failing due to requests.exceptions.ConnectTimeout

Here are the requested details:

My domain is:

I ran this command: in docker-compose
certonly --webroot --webroot-path=/var/lib/letsencrypt --email --agree-tos --no-eff-email --staging -v -d -d

It produced this output:

certbot  | Plugins selected: Authenticator webroot, Installer None
certbot  | An unexpected error occurred:
certbot  | requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f7372856170>, 'Connection to timed out. (connect timeout=45)'))
certbot  | Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx/1.23.4

The operating system my web server runs on is (include version): nginx:mainline-alpine (docker image)

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot/certbot (latest docker image)

Tried some of the troubleshooting found here:

curl -4v

*   Trying
* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject:
*  start date: Apr 29 18:16:44 2023 GMT
*  expire date: Jul 28 18:16:43 2023 GMT
*  subjectAltName: host "" matched cert's ""
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5567c13a08f0)
> GET /directory HTTP/2
> Host:
> user-agent: curl/7.68.0
> accept: */*
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: nginx
< date: Mon, 22 May 2023 12:16:36 GMT
< content-type: application/json
< content-length: 826
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
  "_EJujV-egZM": "",
  "keyChange": "",
  "meta": {
    "caaIdentities": [
    "termsOfService": "",
    "website": ""
  "newAccount": "",
  "newNonce": "",
  "newOrder": "",
  "renewalInfo": "",
  "revokeCert": ""
* Connection #0 to host left intact

curl -6v (but we don't have support for ipv6)

*   Trying 2606:4700:60:0:f41b:d4fe:4325:6026:443...
* Immediate connect fail for 2606:4700:60:0:f41b:d4fe:4325:6026: Network is unreachable
* Closing connection 0
curl: (7) Couldn't connect to server

Did you run those two curl commands in your docker-compose ?

Because you can clearly reach the Let's Encrypt staging api using IPv4 from whatever context you ran it from. Looks like you do not have IPv6 configured (which is fine as you don't have IPv6 record in your DNS either)

Your certbot command in docker compose is not able to reach the public internet.


my bad, I have been running commands just from the instance terminal, not from docker

when run from docker it produced these outputs:

curl -6v
*   Trying [2606:4700:60:0:f41b:d4fe:4325:6026]:443...
* Immediate connect fail for 2606:4700:60:0:f41b:d4fe:4325:6026: Address not available
* Failed to connect to port 443 after 4 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to port 443 after 4 ms: Couldn't connect to server
curl -4v
*   Trying
* connect to port 443 failed: Operation timed out
* Failed to connect to port 443 after 130256 ms: Couldn't connect to server
* Closing connection 0
curl: (28) Failed to connect to port 443 after 130256 ms: Couldn't connect to server

I would quit trying IPv6 because you don't seem to have the comms working.

I think you just have to fix your docker comms. Try

curl -4v

your were correct, docker had no connection to public internet
rebooting instance helped
thank you so much!