Let's Encrypt Apache failed to install, some challange have failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: e-inv.newarmada.biz

I ran this command: sudo certbot certonly --webroot -w /var/www/html -d e-inv.newarmada.biz -v

It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: e-inv.newarmada.biz
Type: connection
Detail: Fetching http://e-inv.newarmada.biz/.well-known/acme-challenge/SP2eJnOH2sIW3tku2ccglRcBIFkD2Vf971klln0WHBc: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.

My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
I dont know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
cloudflare and hostinger

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Port 80 needs to be open to the public internet.

how to open port 80 to the public internet?
I'm really sorry, I'm still newbie on this thing

You need to have your site working for HTTP to use that HTTP Challenge.

You should ask your hosting provider if you need help with that. That is just part of basic server setup.

You should use the https://letsdebug.net site to test changes to your system. Once you get an OK response you can try getting a cert again


I'm really sorry, I didn't mention in the first time
Actually, I have domain on hostinger. And this time I have private server that I want one of my subdomain appoint to my Public IP (My Server). And the subdomain is work on http, with cloudflare DNS setting is DNS only not proxied DNS. Then I want to install Let's Encrypt in my Origin Server.
And when I try to install it, then that error occurs

HTTP connections from the public internet do not work right now. The Let's Encrypt auth server timed out. And, the Let's Debug test site also times out

Usually the term "Origin Server" is used for the server "behind" a Cloudflare proxied name. But, your domain is not currently proxied.

Are you planning on proxying this name later?


I'm sorry, in this case "Origin Server" is my private server (please correct me if I'm wrong). Before I try to install Let's Encrypt, I try to install Cloudflare SSL in my Origin Server with Import CertificateFile and CertificateKeyFile in my default-ssl.conf.

In the Let's Debug that you've mentioned before, I see
"e-inv.newarmada.biz has an A (IPv4) record ( but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address."

Then I try this

sudo ss -ltn
State   Recv-Q   Send-Q     Local Address:Port      Peer Address:Port  Process
LISTEN  0        4096   *
LISTEN  0        50       *
LISTEN  0        70     *
LISTEN  0        50       *
LISTEN  0        4096   *
LISTEN  0        128       *
LISTEN  0        151     *
LISTEN  0        4096                [::]:10000             [::]:*
LISTEN  0        511                    *:443                  *:*
LISTEN  0        50                  [::]:445               [::]:*
LISTEN  0        50                  [::]:139               [::]:*
LISTEN  0        128                 [::]:22                [::]:*
LISTEN  0        511                    *:80                   *:*

Also I try to

sudo netstat -tuln | grep :80
tcp6       0      0 :::80                   :::*                    LISTEN


sudo netstat -tuln | grep :443
tcp6       0      0 :::443                  :::*                    LISTEN

is that right or there is something wrong?

I think for now, I will not use proxied dns from cloudflare. For now I want to make my website become https as soon as possible.

Those ss look alright. If you use the options below it should show you which program is listening. But, just because something is listening does not mean it can be reached from the public internet. There can be firewalls, routing problems, or various other issues preventing that.

sudo ss -pltn | grep -i listen | grep -Ei ':80|:443'

Check your Hostinger network config panel and make sure these ports are open and not blocked for any reason.

Make sure the IP in the DNS matches your public IP


Okay thanks, but I'm pretty sure that I've turned off my (private server) firewall with sudo disable ufw. Is there anything else to check that firewall between public internet to my private server?
And about routing problems, I'm still not sure that my routing in apache2 configuration is right, because I've seen many solution in apache configuration and it says different in each solution.

sudo ss -pltn | grep -i listen | grep -Ei ':80|:443'

LISTEN 0   511   *:443  *:*  users:(("apache2",pid=236168,fd=6),("apache2",pid=236145,fd=6),("apache2",pid=236144,fd=6),("apache2",pid=235978,fd=6),("apache2",pid=235974,fd=6),("apache2",pid=235973,fd=6),("apache2",pid=235972,fd=6),("apache2",pid=235971,fd=6),("apache2",pid=235966,fd=6),("apache2",pid=235963,fd=6),("apache2",pid=235961,fd=6))
LISTEN 0   511   *:80   *:*  users:(("apache2",pid=236168,fd=4),("apache2",pid=236145,fd=4),("apache2",pid=236144,fd=4),("apache2",pid=235978,fd=4),("apache2",pid=235974,fd=4),("apache2",pid=235973,fd=4),("apache2",pid=235972,fd=4),("apache2",pid=235971,fd=4),("apache2",pid=235966,fd=4),("apache2",pid=235963,fd=4),("apache2",pid=235961,fd=4))

I guess it's not in the Hostinger Side because it's my private server. As I said before, I have IP from Hostinger that different with my Public IP of my private server. But maybe I'm wrong, I try to check in Hostinger Panel and there is no port blocked, instead I Allow an IP Address (my Private Server Public IP)

Yeah, I've done it

Perhaps I misunderstood.

So then check all the comms gear between your private server and the public internet. For home networks this often involves a router, for example. Follow "the wire" from your server to your ISP

I get the same connect failures from my own server as Let's Debug and Let's Encrypt. Can you try reaching it from the public internet? Like a mobile phone with wifi disabled?

curl -i -m8 http://e-inv.newarmada.biz
curl: (7) Failed to connect to e-inv.newarmada.biz port 80 after 1278 ms:
Connection refused

curl -i -m8 https://e-inv.newarmada.biz
curl: (7) Failed to connect to e-inv.newarmada.biz port 443 after 250 ms:
Connection refused

In my office, The server connect to MikroTik then NAT to Public IP. The firewall is not blocking anything from my server into Public IP. I guess the comms gear is alrady correct, but I'm still not sure.

Yeah, I've tried to access my Public IP from home and it works but with http only.
I'm sorry, just now when you reply before this one, I try to change my ip address. ANd now maybe you can check the curl again

The Cloudflare DNS is still showing the same IP.

Use https://unboundtest.com to check your IP in the public DNS

Also, Let's Debug is still showing the same error. You can check your connection with https://letsdebug.net


it said like this,
e-inv.newarmada.biz. 0 IN A

and the lets debug test said like this,

Let's Debug


Test result for e-inv.newarmada.biz using http-01



e-inv.newarmada.biz has an A (IPv4) record ( but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with e-inv.newarmada.biz/ Get "http://e-inv.newarmada.biz/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

@0ms: Making a request to http://e-inv.newarmada.biz/.well-known/acme-challenge/letsdebug-test (using initial IP
@0ms: Dialing
@10000ms: Experienced error: context deadline exceeded



A test authorization for e-inv.newarmada.biz to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued. Fetching http://e-inv.newarmada.biz/.well-known/acme-challenge/BxyyZbWYF1kzyde2c-FDj3Fd-a870RPP92FDKqHAy64: Timeout during connect (likely firewall problem)



The current status as reported by the Let's Encrypt status page is Partial Service Disruption as at 2024-07-11 03:23:43.995 +0000 UTC. Depending on the reported problem, this may affect certificate issuance. For more information, please visit the status page.

So, how to check request over port 80 is not succeded. I try to access using my mobile phone without connected to office wifi, and I'm really sorry that now is unaccessible. Maybe for a few hours I will try to fix this one first. Then I'll back again to this case

but, Can Let's Encrypt secure my new subdomain with spesific port (like e-inv.newarmada.biz:88801) that appoint to my Public IP Address? If yes, please tell me how the turotials

a certificate cover a domain will valid for any port, but validation itself need to be for specific ports.
80 for http-01 443 for tls-01 or you need to able to modify dns record of that domain


so If i want to install Let's Encrypt in my http website (and I want my website become https) then I have to used port 80 in validation process?

that or using dns api for dns-01 challange: what kind of dns provider are you using?


I'm using hostinger with cloudflare, but in my Public IP, I set the dns setting is dns only (not proxied)

you still should be able to certbot's cloudflare dns api:


Can I do it if my Public IP with spesific port (ex: 38117)?