No cert for subdomain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: certbot --apache -d

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Timeout during connect (likely firewall problem)


  • The following errors were reported by the server:

    Type: connection
    Detail: Fetching
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version): Debian GNU/Linux 9

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

The procedured suceeded already at the second level domain (, which is hosted on a different machine. No luck so far to get it running on this subdomain-machine

Ports 80 / 443 are open and responding:

Nmap scan report for (
Host is up (0.019s latency).
Not shown: 997 filtered ports
80/tcp open http
443/tcp open https

tia & cu,

It seems like medivoice might be set up in a way that doesn’t accept connections from the US. Attempting to ping it times out from my US system, but not my DE system.


Hi @der-ada

is this your first try to create a certificate?

Checking your domain via all looks good. Port 80 is open and answers.

Checked with DNS Checker - DNS Check Propagation Tool to see if it is a regional problem - your ip address is worldwide visible.

Oh, that looks bad:

Looks like you have a regional filter. So Letsencrypt can't check your validation file.



Thank you both very much. I guess thats already enough of an explanation. I will contact the network admin.

thx & cu,



It’s working. As assumed, a regional filter prevented LE to validate our host. Can I set this to “solved” anyhow?

thx & cu,

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.