Failure to poke my webserver from Cerbot servers

iulianwebdev · August 4, 2025, 3:54pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://mobilise.alzheimersresearchuk.org/

I ran this command: certbot renew -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mobilise.alzheimersresearchuk.org-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate for mobilise.alzheimersresearchuk.org
Performing the following challenges:
http-01 challenge for mobilise.alzheimersresearchuk.org
Waiting for verification...
Challenge failed for domain mobilise.alzheimersresearchuk.org
http-01 challenge for mobilise.alzheimersresearchuk.org

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: mobilise.alzheimersresearchuk.org
  Type:   connection
  Detail: 185.61.132.68: Fetching http://mobilise.alzheimersresearchuk.org/.well-known/acme-challenge/SdGVNcXwOwn7PTSTdn5SzYsUJwH81Q0cbBx9zHVr71Y: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate mobilise.alzheimersresearchuk.org-0001 with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/mobilise.alzheimersresearchuk.org-0001/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.23.3

The operating system my web server runs on is (include version): Ubuntu 22.04/ Alpine Linux v3.17 nginx image

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.0 (on Alpine)

There is no record of any request incoming from the Certbot servers to 185.61.132.68
I tested port 80 it seems to be working
.well-known/acme-challenge/index.html this seems to be opening via a curl request on http

I need help in debuggin this. Is there a DNS problem or firewall problem. Why isn't it reaching the webserver?

petercooperjr · August 4, 2025, 3:58pm

It looks like you have some sort of firewall blocking connections from many parts of the world, especially outside of Europe.

You may want to read this for more information on how Let's Encrypt checks from many different places in order to validate that you control the domain name:

iulianwebdev · August 4, 2025, 5:15pm

Oh! I see.
Are there any cerbot servers for Europe? Or based in Europe?

petercooperjr · August 4, 2025, 5:21pm

What you're calling "Certbot servers" are, in this case, "Let's Encrypt's servers". Let's Encrypt is the default certificate authority (CA) that certbot uses, though you can configure it to use another one instead. All CAs need to check from multiple locations, though perhaps some only check from within Europe for now. Let's Encrypt does do checks from Europe, in addition to other locations.

If you're specifically looking for a CA based in Europe rather than the US, you might want to consider BuyPass GO which is based in Oslo. Using it would just involve adding --server https://api.buypass.com/acme/directory to a certbot command used to get you a certificate. However, just because it's based in one place doesn't mean that's the only place it validates control of domain names from. Like I said, all CAs will need to check from multiple locations, and requirements are getting more strict (meaning requiring even more locations) over time.

As that FAQ states, generally one needs to allow for traffic that validates your control over the name, even if blocking other traffic. But specifics will depend on exactly what you're trying to block how and why.

iulianwebdev · August 5, 2025, 8:13am

I see. That makes sense!

Thank you for getting back to me! Much appreciated!

system · September 4, 2025, 8:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed authorization procedure. Timeout during connect (likely firewall problem) Help	4	813	September 8, 2021
Certbot autorenew and renew fails Help	11	12590	March 5, 2019
Can't renew with certbot and webroot Help	7	1723	October 3, 2017
Certbot - Renewal using HTTP-01 Doesn't Work Because Port 80 is Blocked Help	5	3007	July 10, 2017
Certbot renew fails with connection refused Help	30	2793	March 28, 2021

Failure to poke my webserver from Cerbot servers

Related topics