Issues renewing certificates due to challenge/response fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot renew --dry-run

It produced this output:
Fetching Timeout during connect (likely firewall problem)

My web server is (include version):
Apache/2.4.52 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 22.04.1 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.32.1

Further Info :
Port 80 is disabled - I won't run a web server with it enabled - regardless of the "port 80 doesn't matter"
DNS is hosted by myself on different servers using Bind.

I am struggling to renew a cert without having to go onto the server and use
ufw allow 80
certbot renew
ufw delete ....

I can add a record to DNS - just not via API - why should I have to enable port 80 for the challenge response ?

TIA for any pointers,


Well, you need to pick one of the challenge types that Let's Encrypt supports for validating that you own the name. All of them require having some system & port which is open to the world (at least while the challenge is happening), so that Let's Encrypt can validate that you actually own the name as seen by everyone in the world.

For many people, it's easiest to use the port 80 HTTP-01 method. If you don't, that's fine, but that means you need to use TLS-ALPN-01 (if you have DNS & 443 available to the world) or DNS-01 (if you only have DNS available to the world). TLS-ALPN-01 requires a client that's more sophisticated than certbot, and DNS-01 requires (ideally) scripting the changes to the DNS provider.

Well, you can use the pre-hook and post-hook functionality in certbot to script these commands, so that the ports are only open when the renewal is running, if that's all you're looking for.


Maybe you aren't willing to go into this, but I'm very curious to know why.


Let's just say Infosec.... (not I fight I will win)

By Jove, I think that may be exactly what I'm looking for - bit of a hack, but it will do the job

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.