Fetching {domain}/.well-known/acme-challenge/{token} Timeout during connect (likely firewall problem)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

• My domain is: robertvandeneynde.ru
• I ran this command: certbot --nginx
• It produced this output:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Identifier: robertvandeneynde.ru
  Type:   connection
  Detail: {ip}: Fetching http://robertvandeneynde.ru/.well-known/acme-challenge/{token}: Timeout during connect (likely firewall problem)

• My web server is (include version): nginx/1.24.0
• The operating system my web server runs on is (include version): Ubuntu 24.04.4 LTS
• I can login to a root shell on my machine (yes or no, or I don't know): yes
• The version of my client is: certbot 5.3.1

My tests:

• The IP in the output is correct (DNS A record propagated).
• I manually create a directory /var/www/html/.well-known
• I manually created a directory /var/www/html/.well-known/acme-challenge
• When I create a file in acme-challenge, I can read it from my browser
• This file is readable from both an IP in russia, and using the VPN to be out of it
• The firewall is disabled (otherwise I would not be able to read the file)
• I searched online and duck duck AI for more than 1h, this is my last resort

Thanks in advance

Edit: I ran certbot in sudo
Edit: The output says "nginx" instead of "webroot" (but wasn't working with webroot or standalone too).

Isn't this error message pretty clear? Testing shows your site isn't reachable from many places around the world:

Maybe so but it is reachable per other tests. The Let's Debug server reaches it from its own location although the LE Staging test fails with timeout: Let's Debug

I can reach it from my own AWS servers. And, this test site which we use often reaches it from everywhere: Check website performance and response : Check host - online website monitoring

That said, it does look like some kind of comms problem possibly affecting just the Primary LE center which uses a Cloudflare product for outbound comms. Or, a selective firewall affecting the Primary LE IP. If it is a comms problem it is far more likely to be nearer their location than near the LE center.

I checked but it does not look like a Palo Alto firewall problem

Thanks, apparently yes, it isn't available from LE servers, but available from a lot of other places (like your AWS Server, my location, my location in VPN).

I thought about doing DNS-01 challenge, but then I used another technique:

• Generate the pem on my Other server (US based) and then copy the files to my .ru server

But I will probably not be able to do the automatic renewal, we'll see in 3 months.

Sometimes "backbone" network problems get fixed as those providers resolve the problem on their own. Maybe try again in a few days.

If it persists the DNS Challenge is an option. You could write your own --manual-auth-hook for Certbot. Or, use a different ACME Client that supports reg.ru directly like lego: reg.ru :: Let’s Encrypt client and ACME library written in Go.

I recommend configuring ipv6 if your hosting provider allows it. This solved the problem for me.