Port 80 is open but timeout (Error 400)


I installed dehydrated on an internal server. It’s behind a firewall but I opened port 80 and set a CNAME (DDNS) on our vServer (with PLESK). The Plesk-Server is
(www.)example.org and the internal server is server.intern.example.org.

This internal server can be reached via port 80. When I call
http://server.intern.example.org/.well-known/acme-challenge/ I can access an index.html and the token will be generated correctly. So the directory is writeable!

But when I try “dehydrated --cron” I get this:

dehydrated --cron
# INFO: Using main config file /etc/dehydrated/config
Processing server.intern.example.org
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for server.intern.example.org...
 + Hook: Nothing to do...
 + Responding to challenge for server.intern.example.org...
 + Hook: Nothing to do...
 + Hook: Nothing to do...
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Fetching http://server.intern.example.org/.well-known/acme-challenge/mbskngekürztO3yk: Timeout",
    "status": 400
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/Q1gbjgekürzt920524828",
  "token": "mbsknIOgekürzt29U3yk",
  "keyAuthorization": "mbskgekürzt29U3yk.9MqbIWBPjs",
  "validationRecord": [
      "url": "http://server.intern.example.org/.well-known/acme-challenge/mgekürzt9U3yk",
      "hostname": "server.intern.example.org",
      "port": "80",
      "addressesResolved": [
      "addressUsed": "178.xxx.yyy.zzz"

I have no idea what to do. IPv6 is not activated – so the fallback to IPv4 should work.
Any hints what to do?


Please show the affected domain name.


Maybe better via PM? Will send it to you …


It’s going to end up in the publicly available certificate transparency logs once you issue a certificate anyway, you’re only severely limiting the community’s ability to help you by withholding this, not increasing secrecy.


Hi, @white-rabbit07

What do you mean by ipv6 is not activated?

Is that means ipv6 is present in records but not accessible? (If so, you need to remove the IPV6 since LE doesn’t accept fallback)

Thank you


@white-rabbit07 - The DNS setup looks ok to me, but I’m having the same issue as Let’s Encrypt. When I attempt to connect to your server on port 80, the connection attempt times out. Do you have some sort of IP whitelisting set up? Have you verified that this is accessible over the public internet?

@stevenzhu - There’s no AAAA records for this domain, so nothing to worry about there. Also, while this isn’t relevant here, removing AAAA records is not always the solution. Ideally, in this instance, fixing the server to listen on IPv6 is preferable.


@jared.m That’s strange – I don’t have any issues when I try to connect to that server. It works without any timeout or delay. But maybe the Firewall (IPFire) blocks “some” IPs via GeoIP? Which countries do I have to allow in that case?


For using this method, you’re expected to allow connections from all IP addresses. The policy is that the Let’s Encrypt validation servers may change unpredictably at any time.


On top of that, I’m connecting from the US.


Ok, I changed the GeoIP-Block … and … IT WORKS! Great!
Thank you very much. I didn’t expect the solution at this point as the access from any device always worked.
But finally: Success! :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.