Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: campo-randale.de

I ran this command: certbot --apache

It produced this output:
Domain: crbox.campo-randale.de
Type: connection
Detail: Fetching
http://crbox.campo-randale.de/.well-known/acme-challenge/d2C02-4MXN8jysq6y5WTnMxkghw8fpkGjU8GPK2AC5Y:
Timeout during connect (likely firewall problem)

(the challenge is faked)

My web server is (include version): Apache2.4

The operating system my web server runs on is (include version): Linux

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.30.2

But the Web-Service is reachable from the internet via port 80. (At least when I try to get the cert I do not see any FW problems. What can I check next?

Hi @hjfh

is this your domain? If yes, that domain is parked, so you can't create a certificate.

If no, please share your domain name.

? Yes, this is my domain. Why you think it is parked? I can access the host crbox.campo-randale.de via http. But the FW permit https, too. (just in the moment the FW drops the connections)

Checked the main domain, the result is curious ( https://check-your-website.server-daten.de/?q=campo-randale.de ):

https has a typical error, so the tool checks http over port 443.

Checked that url manual, there is

<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8">
        <style type="text/css">
            html, body, #partner, iframe {
                height:100%;
                width:100%;
                margin:0;
                padding:0;
                border:0;
                outline:0;
                font-size:100%;
                vertical-align:baseline;
                background:transparent;
            }
            body {
                overflow:hidden;
            }
        </style>
        <meta content="NOW" name="expires">
        <meta content="index, follow, all" name="GOOGLEBOT">
        <meta content="index, follow, all" name="robots">
        <!-- Following Meta-Tag fixes scaling-issues on mobile devices -->
        <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport">
    </head>
    <body>
        <div id="partner"></div>
        <script type="text/javascript">
            document.write(
                    '<script type="text/javascript" language="JavaScript"'
                            + 'src="//sedoparking.com/frmpark/'
                            + window.location.host + '/'
                            + 'IONOSParkingDE'
                            + '/park.js">'
                    + '<\/script>'
            );
        </script>
    </body>
</html>

a sedoparking included.

And critical: /.well-known/acme-challenge sends a multiple choice, so it looks that you can’t use http-01 validation.

Now checking the subdomain - crbox

Ah, your main domain is hosted via 1&1 ( https://check-your-website.server-daten.de/?q=campo-randale.de ):

Your subdomain - looks like a home server ( https://check-your-website.server-daten.de/?q=crbox.campo-randale.de ):

And there are only timeouts:

If you see the subdomain internal, your http works.

Port forwarding correct? Extern port 80 -> intern port 80.

Firewall?

A working port 80 is required to use http-01 validation.

Yes, when I enable the redirection I can access the website from the internet. I is enabled now.

Are there special hints to do when the site is hosted as a vhost in apache?

Yep, now your port 80 works:

That's the expected result: Port 80 is open and answers with the http status 404 - Not Found checking a file in /.well-known/acme-challenge.

So http-validation should work.

Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file.

Fine ... now you found what I try to described: Web-service ist running but cerbot failed ...

Should the file in acme-challenge stay if the certbot throws the reported error message? There is no .well-known directory at my host ...

Then your configuration may be buggy.

What says

apachectl -S

VirtualHost configuration:
192.168.252.148:80 crbox.campo-randale.de (/etc/apache2/vhosts.d/crbox_campo-randale_de.conf:13)
ServerRoot: “/srv/www”
Main DocumentRoot: “/srv/www/htdocs”
Main ErrorLog: “/var/log/apache2/error_log”
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
PidFile: “/var/run/httpd.pid”
Define: SYSCONFIG
Define: SSL
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“wwwrun” id=473
Group: name=“www” id=476

What's the content of

Is there a DocumentRoot (without any additional location definitions)? If yes, use --webroot instead of --apache.

certbot run -a webroot -i apache -w yourDocumentRoot -d crbox.campo-randale.de

Indeed there is a DocumentRoot for this vhost. But the comment line:
certbot -i apache -w /srv/www/htdocs/vhosts/crbox_campo-randale_de/nextcloud -d crbox.campo-randale.de give the same result...

There is no -a webroot parameter, so it's the same command as --apache.

Sorry typo,
has to be:

certbot run -a webroot -i apache -w …

(No copy &Paste at this terminal

Then this

is wrong.

Create the two subdirectories

/srv/www/htdocs/vhosts/crbox_campo-randale_de/nextcloud/.well-known/acme-challenge

there a file (file name 1234), then try to load that file via

http://crbox.campo-randale.de/.well-known/acme-challenge/1234

And share the content of the config file.

The file 1234 is then readable via Browser. (Hm, I have to stop access to the file system via apache later …)

Wich config file did you point? vhost?

The content of that file.

Your /1234 file works, so webroot should work.

This is the result :-\

certbot run -a webroot -i apache -w /srv/www/htdocs/vhosts/crbox_campo-randale_de/nextcloud/ -d crbox.campo-randale.de

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for crbox.campo-randale.de
Using the webroot path /srv/www/htdocs/vhosts/crbox_campo-randale_de/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. crbox.campo-randale.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://crbox.campo-randale.de/.well-known/acme-challenge/k57egdNMux2iLORNvVLbyE1Rmq46aGD-FuOnagvCDOU: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: crbox.campo-randale.de
  Type: connection
  Detail: Fetching
  http://crbox.campo-randale.de/.well-known/acme-challenge/k57egdNMux2iLORNvVLbyE1Rmq46aGD-FuOnagvCDOU:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

the vhost.conf is available at the web http://crbox.campo-randale.de/crbox_campo-randale_de.conf

Your server is online - https://check-your-website.server-daten.de/?q=crbox.campo-randale.de - why sees Letsencrypt a timeout?

Is there a blocking firewall with regional settings? So the online tool can see your site, Letsencrypt not?

Oops …
Indeed, I have some filtered regions … But I have never seen a problem with it …
OK, wich IPs are neccessary to play with letsencrypt?