Problem creating a new certificate error 400 timeout during conect

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo /opt/bitnami/bncert-tool

It produced this output:

An error occurred creating certificates with Let's Encrypt:

2023/10/18 12:12:07 [INFO] [] acme: Obtaining bundled SAN
2023/10/18 12:12:07 [INFO] [] AuthURL:
2023/10/18 12:12:07 [INFO] [] acme: use tls-alpn-01
2023/10/18 12:12:07 [INFO] [] acme: Trying to solve
2023/10/18 12:12:22 [INFO] Deactivating auth:
2023/10/18 12:12:22 Could not obtain certificates:
error: one or more domains had a problem:
[] acme: error: 400 ::
urn:ietf:params:acme:error:connection :: Timeout during connect
(likely firewall problem)

Please check our documentation and support forums, we'll be happy to help!

My web server is (include version): apache

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

For some reason the bncert-tool is using the tls-alpn-01 challenge. But port 443 is not open apparently, so it fails.


Thank you very much, it seems that the tls-alpn-01 challenge is not compatible with Apache, and that's why it's failing (as port 443 is open). Is it possible to change the challenge type? How can I do that?

1 Like

No, it's not. Not from the public internet anyway.


Using nmap would indicate otherwise; adding to what others have already said.

$ nmap -Pn -p80,443
Starting Nmap 7.80 ( ) at 2023-10-24 16:20 UTC
Nmap scan report for (
Host is up (0.081s latency).
rDNS record for

80/tcp  open     http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 2.05 seconds

If you use mod_ssl, it could be made "compatible".

But first, as you've already been told twice, you must open port 443 to the Internet.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.