Letsencrypt gives error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot certonly --webroot --dry-run -w /var/www/html -d mail.kentekenflirten.nl

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating a certificate request for mail.kentekenflirten.nl

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: mail.kentekenflirten.nl
Type: connection
Detail: Fetching https://mail.kentekenflirten.nl/.well-known/acme-challenge/M2nhVY5rx4d-QXSuh5w-bsZYc6C_XAoEOHEvA0S8wmk: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version:
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 22.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no, its a iRedMail fresh install

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.21.0

This error message seems pretty clear--the Let's Encrypt servers need to be able to connect to your server via HTTP on port 80 in order to validate that you own the domain. They'll follow redirects to HTTPS on port 443 (which you appear to have enabled), but you then need to have your web server listening there. Either you don't, or you have a firewall blocking that port.


Thank you for your response. I will test that soonest.


Yields these results

mail.kentekenflirten.nl has an AAAA (IPv6) record (2a0d:7c40:3000:ac9::2) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
Get "http://mail.kentekenflirten.nl/.well-known/acme-challenge/letsdebug-test": dial tcp [2a0d:7c40:3000:ac9::2]:80: connect: connection refused

@0ms: Making a request to http://mail.kentekenflirten.nl/.well-known/acme-challenge/letsdebug-test (using initial IP 2a0d:7c40:3000:ac9::2)
@0ms: Dialing 2a0d:7c40:3000:ac9::2
@75ms: Experienced error: dial tcp [2a0d:7c40:3000:ac9::2]:80: connect: connection refused
A test authorization for mail.kentekenflirten.nl to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued. Fetching https://mail.kentekenflirten.nl/.well-known/acme-challenge/IBEfjTFn03s3uG5bc5yzXyy5dUENnKT-6GS7gIsnkWQ: Timeout during connect (likely firewall problem)

IPv4 looks Open.

>nmap -4 -Pn -p80,443 mail.kentekenflirten.nl
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-13 23:42 UTC
Nmap scan report for mail.kentekenflirten.nl (
Host is up (0.13s latency).
Other addresses for mail.kentekenflirten.nl (not scanned): 2a0d:7c40:3000:ac9::2
rDNS record for hwsrv-793118.hostwindsdns.com

80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

Seem the IPv6 is Closed

>nmap -6 -Pn -p80,443 mail.kentekenflirten.nl
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-13 23:42 UTC
Nmap scan report for mail.kentekenflirten.nl (2a0d:7c40:3000:ac9::2)
Host is up (0.13s latency).
Other addresses for mail.kentekenflirten.nl (not scanned):
rDNS record for 2a0d:7c40:3000:ac9::2: hwsrv-1099068.hostwindsdns.com

80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds
1 Like

thank you, i noticed that indeed the mail.kentekenflirten.nl IP6 address was not correct. I rectified that. the www is on another server, that seems to be ok.

i have rerun the debugtest, it came with an all ok now. The certificate was also succesfull implemented.

problem solved.


I don't follow.
LE failed to reach the IPv4 address.
[presumably after failing to reach the IPv6 address and falling back to IPv4]
You then fixed the IPv6 address and now "the problem is solved"?
I think you still have an unsolved problem - with the IPv4 access.
Even if not a problem for IPv6 visitors, it is still a problem for IPv4 only visitors.



Is looking good.

Hi rg305,
Based on the first hint here I created a hello world page (mail.kentekenflirten.nl/test.html to test firewall function. That worked. So the IP4 was correct.

I then changed the IP6 in dns. that was the only change I did. The issue was resolved and the link Let's Debug provided no error. what error are you suggesting of thinking of that could still be in place?

1 Like

I suppose there isn't much more to worry about then.
Even if an HTTP IPv4 problem does exist, you are not likely to be using HTTP for your SMTP server.
[except for obtaining a cert (and renewals)]


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.