Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: chat.waldschrat.ru groups.chat.waldschrat.ru share.chat.waldschrat.ru
I ran this command: sudo docker compose exec snikket_certs /etc/cron.daily/certbot
It produced this output: Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: groups.chat.waldschrat.ru
Type: connection
Detail: During secondary validation: 91.200.13.160: Fetching http://groups.chat.waldschrat.ru/.well-known/acme-challenge/OfbhsIqtFFrhK4gGDonnl59302147R758bD7FaHoBko: Timeout during connect (likely firewall problem)
Domain: chat.waldschrat.ru
Type: connection
Detail: During secondary validation: 91.200.13.160: Fetching http://chat.waldschrat.ru/.well-known/acme-challenge/3Tg1ENVMEpT6uxSx4Z6inJupcX2GlWSwg1raMvA35OM: Timeout during connect (likely firewall problem)
Domain: share.chat.waldschrat.ru
Type: connection
Detail: During secondary validation: 91.200.13.160: Fetching http://share.chat.waldschrat.ru/.well-known/acme-challenge/2aWCBNwNjvkcTx96LhOi59z2CcdX2Y9hmIuW5fZW6yQ: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Some challenges have failed.
My web server is (include version): I think nginx
The operating system my web server runs on is (include version): ubuntu 24.04 docker Version: 29.1.5
My hosting provider, if applicable, is: fistbyte
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ssh only
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0
The "secondary validation" part of the error means the first HTTP challenge request from the primary Let's Encrypt server succeeded. But, two or more of the challenge requests from secondary centers failed. Let's Encrypt currently operates 4 secondary centers.
Often this is because of a firewall blocking certain geographic regions or blocks of IP addresses.
The are 5 total challenge requests sent to you for each cert request. You should check your nginx access log to see how many arrive. The URI will be identical for all 5 requests. The only difference is the source (or origin) IP.
1 Like
Often this is because of a firewall blocking certain geographic regions or blocks of IP addresses.
it is clean system, I just opened the necessary ports. I didn't block IP adresses.
The are 5 total challenge requests sent to you for each cert request. You should check your nginx access log to see how many arrive. The URI will be identical for all 5 requests. The only difference is the source (or origin) IP.
/var/log/nginx/access.log is empty
/var/log/nginx/error.log is empty
sorry my bad english.
We know at least one HTTP request got to your server and that your system replied properly. We know this because the error said "secondary". That means the first primary request worked and possibly one or two requests from the Let's Encrypt secondary centers.
There must be a log somewhere that shows that request. Review your log configs. You may have to ask snikket support where to find it.
Does your hosting company have any firewall settings?
There is some kind of firewall somewhere. A request from my own test server worked and I saw the page shown below. But, after I made two other HTTP test requests to your domain I now only get timeout errors.
curl -i http://groups.chat.waldschrat.ru
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 26 Jan 2026 18:07:57 GMT
Content-Length: 2204
Last-Modified: Mon, 26 Jan 2026 18:07:48 GMT
We are currently obtaining SSL/TLS certificates to secure your Snikket service
<h2>Problem detected!</h2>
<p>There was a problem obtaining certificates for your Snikket server. Please check that all required DNS records are set correctly, that port 80 is open, and if you have a reverse proxy ensure it is configured correctly.
<p>See our documentation for <a href="https://github.com/snikket-im/snikket-server/blob/master/docs/setup/troubleshooting.md">troubleshooting certificate problems
But now I only get:
curl -i -m15 http://groups.chat.waldschrat.ru
curl: (28) Connection timed out after 15000 milliseconds
1 Like
But now I only get:
curl -i -m15 http://groups.chat.waldschrat.ru
curl: (28) Connection timed out after 15000 milliseconds
You may have encountered a reboot point (i reboot system). I'm trying to resolve the issue of obtaining a certificate.
Does your hosting company have any firewall settings?
I contacted technical support, they said that they are not blocking. Maybe the problem is that the server is located in Russia?
There must be a log somewhere that shows that request. Review your log configs. You may have to ask snikket support where to find it.
I haven't contacted the developers yet, but I found this.
letsencrypt.txt (57.7 KB)
renamed to *.txt because *.log don`t upload
1 Like
Should not matter. Do not forget the Let's Encrypt primary center worked. Only two or more of the secondary centers fail.
All Let's Encrypt secondary centers are hosted in Amazon AWS networks. So, if something is interfering with AWS that could be. My own test server is in AWS. I have tried several different test servers in AWS all with different IP and they all now fail to reach you. I did see your snikket page once though. So at least at that moment it was okay.
We have not received other problem reports from people in Russia (yet). If it was affecting the whole country we should see more reports of trouble.
It would be helpful to see the nginx access logs. If you can find those please post them.
This is a log by a program called Certbot. Your snikket system is using that program to get the certificate. And, normally we could have you try some test commands.
But, in your case you'll need to work with snikket. They use many custom Certbot settings to work in their system.
Running Certbot test commands may not be helpful anyway. This is some kind of firewall or communications problem and does not look like it is related to Certbot itself.
2 Likes
I think the problem lies in government restrictions. Because i setup ipv6 and it's working!
Thank you very much!
2 Likes
That is good.
Today I was able to make one IPv4 request from my own test server but after that they time out. If it is a govt restriction they are doing a bad job to let one through 
IPv6 works good from my test server. And, Let's Encrypt issued a cert. It prefers IPv6 when defined in the DNS.
2 Likes