From Cloudflare to Let's Encrypt


Hi guys,

I’ve been using cloudflare on ubuntu nginx and recently i just installed Let’s encrypt but at the end I got the following error:


  • The following errors were reported by the server:

    Type: connection
    Detail: Fetching
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
    root@w3:~# ss -tln
    State Recv-Q Send-Q Local Address:Port Peer Address:Port
    LISTEN 0 128 :80 :
    LISTEN 0 128 :22 :
    LISTEN 0 128 :::80 :::

    LISTEN 0 128 :::22 :::


From the browser i get this error:

This site can’t be reached took too long to respond.

Any assistance will be highly appreciated.

Best regards,


Findings thus far…

1.Multiple IPs:
2. Unable to connect to via both IPs:
Connecting to (||:80… failed: No route to host.
Connecting to (||:80… failed: Connection timed out.

Possibly unrelated but worth noting:

  1. WWW has 4 IPs (2 IPv4 + 2 IPv6) [CloudFlare]
    Addresses: 2606:4700:30::681c:372

  2. WWW site (through CF) also fails to reach the backend server.
    wget -6
    –2019-01-24 21:51:54--
    Resolving (… 2606:4700:30::681c:372, 2606:4700:30::681c:272,, …
    Connecting to (|2606:4700:30::681c:372|:80… connected.
    HTTP request sent, awaiting response… 301 Moved Permanently
    Location: [following]
    –2019-01-24 21:51:54--
    Connecting to (|2606:4700:30::681c:372|:443… connected.
    HTTP request sent, awaiting response… 523 Origin Unreachable
    wget -4
    –2019-01-24 21:55:37--
    Resolving (…,
    Connecting to (||:80… connected.
    HTTP request sent, awaiting response… 301 Moved Permanently
    Location: [following]
    –2019-01-24 21:55:37--
    Connecting to (||:443… connected.
    HTTP request sent, awaiting response… 522 Origin Connection Time-out


Ok, questions:
[1] Do you want your entire site to be behind CloudFlare?
[2a] Do you use both IPs (,
[2b] Are they working?


Hi Rudy,

  1. I was ideal at first to be behind cloudflare but my site got offline twice this month so I decided to let it go and rather just use Let’s encrypt

2a.Yes i use both ip’s from digital ocean and the 45.55 ip is just a fallback ip incase 159 faint.

2b. Yes both ip’s are accessible via ssh

Best regards,



Are there any firewalls that may be blocking port 80?
[Or Geo-Location blocking? Or any other block?]


By the way, DNS records are unordered. Each IP will receive approximately 50% of traffic.

Edit: That will make it tricky – though possible – to use Let’s Encrypt HTTP validation. You might want to use DNS validation, if your ACME client has a Cloudflare DNS plugin.


The site was accessible yesterday but down today, hence i decided to move from CF to Let’s. I don’t recall setting any geo blocking


It doesn’t look like CF is the reason the site is down :frowning:



Hi Matt

Ok maybe i should change dns from CF to Google dns… how about that


They’re both good DNS services, but when you have two A records, each one will receive about 50% of traffic.


DNS A and AAAA records don’t have costs associated to each entry (like MX records).


What makes you think the problem has anything to do with your DNS host?


Well it seems like I ran out option as i am not sure what to do now. Till there are any advises, I’ll have to fallback to a backup instance as I’ve been disconnected to too long.

Thanks for trying guys.

Best regards,


closed #15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.