Ports open but not seen by certbot

My domain is:
I ran this command:
sudo certbot --nginx
It produced this output:

ubuntu@ubuntu:~/matrix$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: matrix.corkboard.wtf

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for matrix.corkboard.wtf

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: matrix.corkboard.wtf
Type: connection
Detail: Fetching http://matrix.corkboard.wtf/.well-known/acme-challenge/VcsPOTbLQZaVhew0HRrkph7X-J-4mPlYYr9nh0X8Y1A: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx latest
The operating system my web server runs on is (include version):
Ubuntu 22.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

The port isn't open to the internet, I can't connect to it either.

Check that you have port forwarding correctly set up.


The ports are open in my router settings, would this be an issue with their software?

Ah, I see. The port is open but the connection hangs forever after a request is sent:

$ curl -vvv -m10
*   Trying
* Connected to ( port 80 (#0)
> GET / HTTP/1.1
> Host:
> User-Agent: curl/7.79.1
> Accept: */*
* Operation timed out after 10003 milliseconds with 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 10003 milliseconds with 0 bytes received

Could be that the internal address and port for the port forwarding is not right.

Could be that nginx is not listening on the address that the port forward expects.

Could be that it will start working after a router reboot (happens from time to time sadly).

Do you see any connection attempts in the nginx access or error logs?


I see connection attempts from "check your website", but that is all

Has the web site ever worked?


No, I am also not running a website but a matrix instance.

Then this doesn't make sense:

which expects a running nginx web server.


I am indeed running an nginx webserver, but I am not hosting a website. I am running an instance of matrix.

You may have failed to grasp the requirements around "sudo certbot --nginx".
Let's have a closer look at what is actually running, with:
{sudo} netstat -pant | grep -i listen
[use sudo if needed]

and also:
nginx -T



conflicts with:


2 :::* LISTEN 761/sshd: /usr/sbin

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;

http {

        # Basic Settings

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        # SSL Settings

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        # Logging Settings

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        # Gzip Settings

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        # Virtual Host Configs

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;

# configuration file /etc/nginx/sites-enabled/matrix.corkboard.wtf:
server {

        server_name matrix.corkboard.wtf;

        location / {
                proxy_pass http://localhost:8008;

Seems like you don't really need the nginx server:
"Instead, you can proxy access to Synapse's HTTP listener on port 8008 via an existing HTTPS proxy with a valid certificate (e.g. an nginx listening on port 443), or you can point Synapse at a valid X.509 signed TLS certificate."

from: FAQ | Matrix.org


Sorry, discourse ate your post [after I edited it - to add ```s (for better formatting)]
It should show up soon.

From what I saw, the netstat output was very short.
It didn't show nginx nor the "matrix" software running/listening.


when i run lsof -i tcp:80
it returns

nginx    786     root    6u  IPv4  15232      0t0  TCP *:http (LISTEN)
nginx   1700 www-data    6u  IPv4  15232      0t0  TCP *:http (LISTEN)
nginx   1701 www-data    6u  IPv4  15232      0t0  TCP *:http (LISTEN)
nginx   1702 www-data    6u  IPv4  15232      0t0  TCP *:http (LISTEN)
nginx   1703 www-data    6u  IPv4  15232      0t0  TCP *:http (LISTEN)

While we wait...
"In future, Synapse will probably use letsencrypt to autogenerate valid certificates rather than self-signed ones during installation, simplifying this process enormously."

"The future" sounds wonderful1


I need to see more than just 80.

systemd-r  636 systemd-resolve   14u  IPv4  18950      0t0  TCP localhost:domain (LISTEN)
sshd       761            root    3u  IPv4  21780      0t0  TCP *:ssh (LISTEN)
sshd       761            root    4u  IPv6  21782      0t0  TCP *:ssh (LISTEN)
nginx      786            root    6u  IPv4  15232      0t0  TCP *:http (LISTEN)
docker-pr 1162            root    4u  IPv4  23762      0t0  TCP *:8008 (LISTEN)
docker-pr 1170            root    4u  IPv6  21486      0t0  TCP *:8008 (LISTEN)
nginx     1700        www-data    6u  IPv4  15232      0t0  TCP *:http (LISTEN)
nginx     1701        www-data    6u  IPv4  15232      0t0  TCP *:http (LISTEN)
nginx     1702        www-data    6u  IPv4  15232      0t0  TCP *:http (LISTEN)
nginx     1703        www-data    6u  IPv4  15232      0t0  TCP *:http (LISTEN)


this future does sound wonderful

So, nginx can be used to proxy to "8008"
"8008" can be fed the cert directly.
[we can visit that path after we get you going on nginx]