Some challenges failed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
jaredstoker.com

I ran this command:
cerbot --nginx -v
It produced this output:
Some challenges failed

My web server is (include version):
root@web-box:~# nginx -v
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 22.04

My hosting provider, if applicable, is:
Xmission
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no,
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

2025-09-02 19:38:08,021:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz/2381377727/577866970001 HTTP/1.1" 200 1082
2025-09-02 19:38:08,023:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 02 Sep 2025 19:38:08 GMT
Content-Type: application/json
Content-Length: 1082
Connection: keep-alive
Boulder-Requester: 2381377727
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: K7BcPJEgAy0DkwmlO47QnLNaJ1Msuj9fsNkZTRS27885ccw4b4c
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "jaredstoker.com"
},
"status": "invalid",
"expires": "2025-09-09T19:36:37Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2381377727/577866970001/u91t8w",
"status": "invalid",
"validated": "2025-09-02T19:36:38Z",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "166.70.250.187: Fetching http://jaredstoker.com/.well-known/acme-challenge/EFd2enqoFj1zSLkFq87Etraa9sEpfGM8P2ZyiYdxOUQ: Timeout after connect (your server may be slow or overloaded)",
"status": 400
},
"token": "EFd2enqoFj1zSLkFq87Etraa9sEpfGM8P2ZyiYdxOUQ",
"validationRecord": [
{
"url": "http://jaredstoker.com/.well-known/acme-challenge/EFd2enqoFj1zSLkFq87Etraa9sEpfGM8P2ZyiYdxOUQ",
"hostname": "jaredstoker.com",
"port": "80",
"addressesResolved": [
"166.70.250.187"
],
"addressUsed": "166.70.250.187"
}
]
}
]
}

I'm at my wits end. I usually lurk silently and read other users issues and I'm able to fix my problem. When I initially built the site in May, the certificate created just fine. Now It can't pass the http-01 test.

Hello @jaredstoker, welcome!

From around the world Permanent link to this check report is showing "Connection reset by peer'.

Please show the output of the following commands:

• sudo certbot certificates
• sudo nginx -T that is a capital T

And the online tool Let's Debug yields these results https://letsdebug.net/jaredstoker.com/2543693

I wiped the existing certificates as part of my troubleshooting. I couldn't get the existing certificate to renew. Here is the output of those commands.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certificates found.

root@web-box:~# nginx -T

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        server_tokens off;

        client_body_buffer_size 1k;
        client_header_buffer_size 1k;
        client_max_body_size 1k;
        large_client_header_buffers 2 1k;
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}
#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/jaredstoker.com:
#server {
#    listen 80 default_server;
#    server_name _;
#    return 301 https://$host$request_uri;
#}
#server {
#    listen 80 default_server;
#    listen 443 default_server;
#    server_name "~^(?!www\.).*" ;
#    server_name jaredstoker.com;    
#    location / {
#        return 301 $scheme://www.$host$request_uri;
#    }
#}
server {
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header Content-Security-Policy "default-src 'self';" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Xss-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
    add_header Referrer-Policy "strict-origin";    
    listen 80;
    listen 443;
#    listen 443 ssl;
    server_name jaredstoker.com;  # Replace with your domain or IP
#    include snippets/self-signed.conf;
#    include snippets/ssl-params.conf;
#    ssl_certificate      /etc/nginx/ssl/www.jaredstoker.com/fullchain.pem;
#    ssl_certificate_key  /etc/nginx/ssl/www.jaredstoker.com/privkey.pem;
#    ssl_protocols       TLSv1.2 TLSv1.3;
#    ssl_ciphers         HIGH:!aNULL:!MD5;
    root /var/www/jaredstoker.com;
    index index.html;

#    location / {
#        try_files $uri $uri/ =404;
#    }

#    location ~* \.(js|css|html|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
#        access_log off;
#        expires max;
#    }

    location ~ /.well-known/acme-challenge {
        allow all;
        root /var/www/jaredstoker.com;
    }
}

I see connection failure for both HTTP and HTTPS. Are you able to connect from the public internet?

As Bruce noted HTTP (port 80) requests are failing world-wide (and my own test server).

SSL Labs reports HTTPS connections failing too (and so does my own test server)

I think this is more likely something wrong with your network config. Do you set that up or does your hosting service? Has your IP address changed recently and does the DNS reflect the current IP?

Oh, nevermind about HTTPS failing on port 443. Your nginx config doesn't support HTTPS w/the listen 443 ssl; commented out.

Yes, definitely something could be wrong with my network. I do manage my own router, though nothing changed between now and then. I have been trying to diagnose the network side of it as well. I set 3 DNS records with my domain registrar -
@ .jaredstoker.com A 166.70.250.187 (They use the @ symbol as a wildcard.
www .jaredstoker.com A 166.70.250.187

•          .jaredstoker.com A 166.70.250.187
  

It seems to hit my router and occasionally I will get through.

Once the certificate is setup, then certbot changes the listen 443; to add ssl and adds the certificate path. Nginx won't start if you set 'listen 443 ssl;' on its own without a certificate store.

If not the router, then as anything else changed?

I may have to check with my ISP.

Usually Certbot creates a new server block for port 443. You must have placed them both in the same server block manually. That is usually harder to manage. I would be surprised if the HTTP redirects worked correctly even after resolving the HTTP connection problem.

Once you verify your public IP hasn't changed you could just try restarting the router. We have seen that fix connection problems before. And check all components between that router and your server (wires, switches, ...)

You should check that your ISP has not started blocking access to you on port 80.

Doesn't look like they are.

$ nmap -Pn -p80,443 jaredstoker.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-02 13:26 PDT
Nmap scan report for jaredstoker.com (166.70.250.187)
Host is up (0.041s latency).
rDNS record for 166.70.250.187: 166-70-250-187.xmission.com

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds

The http test on check-host.net shows "connection reset by peer"

I don't think that the connection is reset, it appears that TCP packets are not getting to the web server, I've attached a disection from wireshark.
packets.txt (7.3 KB)

And now Ports 80 & 443 are filtered

$ nmap -Pn -p80,443 jaredstoker.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-02 13:54 PDT
Nmap scan report for jaredstoker.com (166.70.250.187)
Host is up.
rDNS record for 166.70.250.187: 166-70-250-187.xmission.com

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.18 seconds

I basically turned off all of my firewall rules. I do have a filter rule on my firewall to forward the traffic to my webserver. Still the same. Must have something to do with the type of filter.
I'm using routeros. I use these two rules -
add action=accept chain=forward dst-address=192.168.15.33 dst-port=443
in-interface=ether1 log=yes log-prefix="Website Log - jaredstoker.com"
protocol=tcp
add action=accept chain=forward dst-address=192.168.15.33 dst-port=80
in-interface=ether1 log=yes log-prefix="Website Log - jaredstoker.com"
protocol=tcp

And these two nat rules
add action=dst-nat chain=dstnat comment="Web Box Redirect" dst-address=
166.70.250.187 dst-port=443 in-interface=ether1 log=yes log-prefix=
"Web-Personal Traffic" protocol=tcp to-addresses=192.168.15.33 to-ports=443
add action=dst-nat chain=dstnat comment="Web Box Redirect" dst-address=
166.70.250.187 dst-address-list="" dst-port=80 in-interface=ether1 log=yes
log-prefix="Web-Personal Traffic" protocol=tcp to-addresses=192.168.15.33
to-ports=80

Maybe I should start on a firewall forum for mikrotik.

I also tried the letsdebug site - DNS passes. The tls-alpn-01 fails with an issue on Let'sEncrypt -
[IssueFromLetsEncrypt]
A test authorization for jaredstoker.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

166.70.250.187: Timeout after connect (your server may be slow or overloaded)(Let's Debug)

Maybe I'm trying too many times in a row.

I'm more familiar with nftables, however have you tried setting the dst-address in the filter rules to 166.70.250.187?

I think I was able to fix it in a roundabout way. I installed NPM and was able to get it to work by going through the proxy manager. I still need to fix my internal network to be able to hit the domain and get the site, but testing it via a vpn to get outside of my local network lets it connect just fine.

You should review that server block coding to redirect HTTP to HTTPS

curl -i http://jaredstoker.com
HTTP/1.1 200 OK
Server: openresty

Having a dedicated server block for port 80 and a separate one for port 443 will make redirects easier

Thanks! I'll fix that. Just had to post after tearing my hair out for a couple of days.