Problem to install certificate in internal server


I have a internal server in my company with domain and certbot don't install the certificate:

The problem:

certbot certonly --webroot

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel):
Requesting a certificate for
Input the webroot for (Enter 'c' to cancel): /var/www/html

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Type:   connection
  Detail: Fetching Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

If a run ufw status:

ufw status
Status: active

To                         Action      From
--                         ------      ----                            
80                         ALLOW       Anywhere                  
443                        ALLOW       Anywhere                                    
80/tcp                     ALLOW       Anywhere                              
80 (v6)                    ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
22/tcp (v6)                ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)       

The nginx config is:
nano /etc/nginx/sites-available/default

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        index index.html index.htm index.nginx-debian.html;


        location / {
                try_files $uri $uri/ =404;

In router I open the ports:


With the 443 port I did the same thing

Some help to solution, thanks!


Welcome to the community @didobruno

Your domain cannot be reached from the public internet. Even just trying your home page from various places does not work. A helpful site for new setups is Let's Debug (link here).

Use that as you make changes to your comms config to test connectivity. Once that works try to get a cert again. Or, be sure to use --dry-run on your certbot --webroot command while testing to ensure you do not run into rate limits on the Let's Encrypt production system.

Your domain must be reachable with http (port 80) when using the --webroot option. Most often the error you see is because of a firewall - possibly one in your router.


I tried here and port 80 cannot access, but if I open other port, 8080, 8085 and etc work
Just 80 not access :frowning:

Does your ISP block port 80? Some residential ISP's do that in the US

But, do you still have ports 8080 and 8085 open? Because I don't see them open from my test server in the US

ALSO (added):
Here is test result for port 8080. I tried both IPv4 and IPv6 because you have both in your DNS

curl -6 -m8
curl: (28) Failed to connect to port 8080 after 4002 ms: Connection timed out

curl -4 -m8
curl: (28) Failed to connect to port 8080 after 4001 ms: Connection timed out

A    Address:
AAAA Address: 2804:728c:ffff:5e43:756d:4314:9f95:1b7f

I close 8080, 8452 is open

1 Like

I can reach a Tomcat default page on port 8452 with the IPv4 address but not with IPv6. Is that you?

Let's Encrypt servers will first use IPv6 so you should either remove the AAAA record until you have that working or correct the IPv6 config.

You might have to check with your ISP about port 80 if you are sure you had it setup right.

The HTTP Challenge (like --webroot) requires port 80. But, the DNS Challenge is possible although it is often harder to setup. See Let's Encrypt docs about it here:


I added it to test

I'll delete it

you correct, my ISP block port 80 :frowning:

1 Like

I use this:

And certificate was emitted, but access with https send this message:

Secure Connection Failed

An error occurred during a connection to SSL received a record that exceeds the maximum allowable length.


The page you are trying to view cannot be displayed certification of the received data could not be verified because.

I can reach your domain on port 8452 with HTTP but not with HTTPS. That means you have to configure Tomcat to use HTTPS on that port. I don't know Tomcat well but they have a forum and other help here:

I still see your IPv6 AAAA address in your DNS. Have you removed that yet? Because it is not working only IPv4 is.

curl -I4
curl: (35) error:0A00010B:SSL routines::wrong version number

curl -I4
HTTP/1.1 200

Now everything is working! Port 8452 to https was blocked.

Thank you very much!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.