Issue installing cert

My domain is:

I ran this command: sudo certbot --nginx

It produced this output:

2019-09-06 05:53:11,336:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Type: connection
Detail: Fetching Timeout during connect (likely firewall problem)

2019-09-06 05:54:51,749:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 06 Sep 2019 05:54:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 06 Sep 2019 05:54:51 GMT
Connection: keep-alive

“keyChange”: “”,
“meta”: {
“caaIdentities”: [
2019-09-06 05:54:53,919:INFO:certbot.main:Obtaining a new certificate
2019-09-06 05:54:53,959:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0004_key-certbot.pem
2019-09-06 05:54:53,962:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0004_csr-certbot.pem
2019-09-06 05:54:53,962:DEBUG:acme.client:Requesting fresh nonce
2019-09-06 05:54:53,962:DEBUG:acme.client:Sending HEAD request to
2019-09-06 05:54:54,012:DEBUG:urllib3.connectionpool: “HEAD /acme/new-nonce HTTP/1.1” 200 0
2019-09-06 05:54:54,013:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Replay-Nonce: 0101kMvatW1Td6dfjsJ8ALFg8U1ztEPOpRagOU6YxY5dTMc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 0
Expires: Fri, 06 Sep 2019 05:54:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 06 Sep 2019 05:54:54 GMT
Connection: keep-alive

My web server is (include version):
VERSION=“18.04.2 LTS (Bionic Beaver)”

The operating system my web server runs on is (include version):
VERSION=“18.04.2 LTS (Bionic Beaver)”
PRETTY_NAME=“Ubuntu 18.04.2 LTS”

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

I have tried allowing all traffic on port 80 and then running the command " sudo certbot --nginx" but i get the same error. Can you help me fix this please


Are you sure it was exactly the same error the last time you tried, including the Timeout during connect part?

From what I can tell, right now Let's Encrypt has no issues connecting to your server.

Hi @Eva

your server answers ( ):

Domainname Http-Status redirect Sec. G 200 0.243 H -14 10.030 T
Timeout - The operation has timed out 404 0.210 A
Not Found

That looks good, checking /.well-known/acme-challenge/random-filename has the expected result http status 404 - Not Found.

Did you change something?

PS: There is no older Letsencrypt certificate.

I’m trying to install the cert for the first time now.

To add to, i was following the steps mentioned here -

Try it one time again:

sudo certbot --nginx -d

There is no timeout visible.

answers, so --nginx should work or should show another error message.

If that doesn't work, add -vvv to the command and share the output. Perhaps via pastebin.

Hi Juergen
I tried sudo certbot --nginx -d and a cert got installed with no errors but my site is now inaccessible now. Wondering what is causing the issue

This is how my nginx config looks like :

user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/;

include /usr/share/nginx/modules/*.conf;

events {
worker_connections 1024;

http {
log_format main '$remote_addr - $remote_user [$time_local] “$request” ’
'$status $body_bytes_sent “$http_referer” ’
‘"$http_user_agent" “$http_x_forwarded_for”’;

access_log  /var/log/nginx/access.log  main;

sendfile            on;
tcp_nopush          on;
tcp_nodelay         on;
keepalive_timeout   65;
types_hash_max_size 2048;

include             /etc/nginx/mime.types;
default_type        application/octet-stream;

# Load modular configuration files from the /etc/nginx/conf.d directory.
# See
# for more information.

from here

server {
server_name mydomain; # Or whatever you want to use
root /var/www/html/Cachet/public;
index index.php;

location / {
    add_header Strict-Transport-Security max-age=15768000;
    try_files $uri /index.php$is_args$args;
location ~ \.php$ {
            include fastcgi_params;
            fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_index index.php;
            fastcgi_keep_conn on;
            add_header Strict-Transport-Security max-age=15768000;

listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


server {
if ($host = mydomain) {
return 301 https://$host$request_uri;
} # managed by Certbot

server_name  mydomain;
listen 80 default;
return 404; # managed by Certbot



Rechecked your domain via - now you have a (good) redirect http -> https:

Domainname Http-Status redirect Sec. G 301 0.200 A -14 10.033 T
Timeout - The operation has timed out 301 0.200 A
Visible Content: 301 Moved Permanently nginx/1.14.0 (Ubuntu) -14 10.034 T
Timeout - The operation has timed out

And a new certificate:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-09-06 2019-12-05 1 entries duplicate nr. 1

So the certificate creation has worked.

Is there again a firewall? You have to allow https.

Does your port 443 work internal?


My bad, i had not allowed traffic on port 443. Did it now and is working as expected. Thanks for your help Juergen!


1 Like

Yep, now it works. But it's a public website, so port 80 should answer. There is a timeout.

If not, the next renew doesn't work, Letsencrypt certificates are only 90 days valid. Next renew should start in 60 days, Certbot creates a cron job.


I have now opened port 80 too. Thanks for the info :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.