Impossible to validate. fresh debian 11, simple nginx conf, dmz for the server , result:timeout status 400

the problem : if i go to

google chrome download the file with no timeout . and when i do the validation i get
Timeout during connect (likely firewall problem) .
and in the letsencript.log :

  "identifier": {
    "type": "dns",
    "value": ""
  "status": "invalid",
  "expires": "2023-05-24T11:26:31Z",
  "challenges": [
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": " Fetching Timeout during connect (likely firewall problem)",
        "status": 400
      "url": "",
      "token": "GU9GC-bZ-JMXSTk00gQposH_ODpn6XRvpLBNR1_cChA",
      "validationRecord": [
          "url": "",
          "hostname": "",
          "port": "80",
          "addressesResolved": [
          "addressUsed": ""
      "validated": "2023-05-17T11:26:31Z"

My domain is:

I ran this command: 
certbot certonly --webroot -w /home/akli/Documents/quranreadingapp --dry-run  -d
or certbot certonly --dry-run --manual -d
It produced this output:

My web server is (include version): nginx

The operating system my web server runs on is (include version):
fresh debian 11
My hosting provider, if applicable, is:
at home
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot): 1.12.0

Your domain must be reachable on the public Internet I believe you have some sort of firewall blocking access. I cannot reach it with various tools on the public Internet. when you tested it with chrome was that from your own private network?


hi, on chrome yes this is from the private network but i enter in the address bar

for me there is no problem to access the website at

i have found this sites that do some external checks

and this one

they both report a problem to get file from
but i don't understand the problem i am just behid the router of the fai . and i enable a dmz in direction of the server. me i am on another pc on the same network.

Do you have a mobile phone you could try? Turn off Wi-fi so you use your provider's public Internet connection and see if you can connect to your domain that way


yes it's strange ,with the wifi enabled it found it but with only the mobile fai it does't not found it .

if i try to access while looking at the tcp dump there is just two coms that happen after 15s after loading the website

sudo tcpdump -i enp0s31f6 port 80
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp0s31f6, link-type EN10MB (Ethernet), snapshot length 262144 bytes
10:36:45.986569 IP > Flags [.], ack 3288506695, win 501, options [nop,nop,TS val 3192663785 ecr 3283457494], length 0
10:36:45.986598 IP > Flags [.], ack 1, win 505, options [nop,nop,TS val 3283502581 ecr 3192618753], length 0

i only have the possibility to do a dmz because strangely/commercially they only accept redirection of port for port above 32000 otherwise we must pay for a 'ungrouped fiber'. it's the biggest fai in France

edit: my in sites-available :

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    root /home/akli/Documents/quranreadingapp;
    index index.html;

nginx is running of course

but how to explain that i can access or from my home network and not externally ? !!

edit: maybe the router that answere the dns query so this is why i can go to and believe that all is ok

Your ISP may be blocking port 80 and/or port 443. You say "home" network so if that is a residential ISP that is possible.

Or, do you live in an area where your govt blocks sites?

Also, have you checked the router and any other comms gear for other firewall settings?


no no the french govs don't block sites !

i am checking the router ... but a dmz is pretty simple concept so ...

Presently I am seeing Ports 80 & 443 are filtered.

$ nmap -Pn -p80,443
Starting Nmap 7.80 ( ) at 2023-05-17 15:35 UTC
Nmap scan report for (
Host is up.
Other addresses for (not scanned): 2a01:e0a:2be:6ce0::1
rDNS record for

80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.34 seconds

You could use the DNS-01 challenge of the Challenge Types - Let's Encrypt.


Yes, but if they want access to their site from the public internet they will have to resolve why it is fully blocked.


ok i have found that the isp has changed his way of managing ips : due to the lack of ipv4 addresses the ISP shares the ips for 4 subscribers by dividing the ports into 4 slices. to have a "full stack ip" as say call it you have to ask for it, it's free. i am waiting 30 min as asked by the isp , make it work and i will close the topic if it work . thank you @MikeMcQ @Bruce5051


You @MikeMcQ are absolutely :100:% correct. :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.