Is there any problem in my settings?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:sudo certbot certonly --webroot -w ./public -d

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /home/ubuntu/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Connection refused


  • The following errors were reported by the server:

    Type: connection
    Detail: Fetching
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Not have. I upload python file and run it directly. (Flask project)

The operating system my web server runs on is (include version): Description: Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is: AWS(EC2)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, I use terminal.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.27.0

I checked DNS and my domain, AWS instance(security) settings.
DNS type: A
Host: @
IP: (my AWS instance IP)
TTL: 600

and AWS instance:

also, ufw atatus is Inactivated.

Hi, your AWS network rules look OK. Does curl work from the server itself?

  • If it does work there does seem to be a firewall blocking connections.
  • If not then there is nothing configured to listen on port 80.

Once you get working your domain validation should also work.


I tried and saw
curl: (7) Failed to connect to port 80: Connection refused

it means I have to configure to listen on port 80? how can I do this?

this is /etc/hosts in my AWS instance.

As you are using flask I assume this might mean configuring your listening ports in your app, however as far as I'm aware Flask is not a production web server itself and you should really run it behind a reverse proxy such as Caddy, nginx or apache Caddy has the benefit of automatically setting up https for you.

You can also just use the --standalone mode of certbot to cert your initial certificate (it does this by running a temporary http listener on port 80).


Oh, I using Flask.

Yesterday, I tried port opening use iptables and ufw on/off, but now I cannot access my site. It refuse all of connecton although port are opened in AWS Inbound.

when I learn about that, lecture did not teach about HTTPS and nginx, apache. It is too hard for me...

Yes, initially all of this stuff is quite complex. Luckily though it doesn't change that much over the years so once you know enough to get apps working etc there's not a whole lot more you need to do. I suggested Caddy because it's relatively new and getting it to work as a reverse proxy (an https front-end for your flask web server) is relatively straightforward: Reverse proxy quick-start — Caddy Documentation

Regarding your firewall, you probably switched it on when it was off before, you'll need to ssh into your server and turn that off (or configure which TCP ports to open). If you've accidentally blocked SSH at the OS level and now have no way to administer the server then you may be quicker recreating the VM (you can do things like attaching the disk to a different instance to recover data if required).


Altough I tried nginx, it occurs 'No such files or Directory' when I execute ini file, but I can install Certbot when I solute that problem.

@koreanraichu not sure what you mean by ini file? nginx has it's own .conf files and systemd has an ini-style formatted file to define services, is it one of those files? Or is the ini file related to Flask?