Some Challenges have failed

My domain is:

I ran this command: certbot

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Type:   connection
  Detail: Fetching Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): apache 2.4.56

The operating system my web server runs on is (include version): manjaro 22.1.0 (Talos)

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.5.0

I realize this is a similar question to a lot of others, but I'm pretty sure mine revolves more around my DNS setup than anything else, but I'll be happy to know whatever the problem actually is.
So far from the top I've tried:

  1. certbot renew (same error - actually had a cert to start with, issue cropped up while attempting to renew. Also attempted certbot certonly -d, certbot renew --standalone, certbot renew --apache all of which have led to the same problem)
  2. ensured permissions on document root are 0777
  3. Ensure DNS servers are legit (had previous DNS issues after moving to a new place, they're now set to and
  4. adjust apache config:
    commented out the following:
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf

# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.

<IfModule ssl_module>
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
<IfModule mod_ssl.c>
  Listen 443
Include /etc/httpd/conf/httpd-le-ssl.conf
  1. updated A record for (was a different IP than - now it's got the same IP)
  2. removed cert
  3. reinstalled certbot

current status: no ssl cert, possibly misconfigured apache (unlikely), uncertain about DNS servers/records and how that's configured (using NetworkManager).

My main guess is that it has something to do with the DNS since that is the part that I understand the least (followed by the apache config)

Additional info:
curl -4 =
dig a +short =
dig a +short =

Any ideas or help is greatly appreciated! I've been banging my head against a wall for a few days now trying to figure out what's going one with this

The DNS looks fine. Your A record should be your public IP and it is.

Your problem is that requests to your domain from the public internet fail. The Let's Debug test site is helpful in these cases (link here). Re-run Let's Debug after making changes until you see OK. Then try certbot again.

My guesses

  1. Your ISP no longer allows requests on port 80 to your location
  2. Your router is not directing such requests to your server. Either blocking by a firewall or NAT / port forwarding problems
  3. Apache is misconfigured. You say unlikely and maybe so but you could run the below as a start. Your comment 4 sounds suspicious.
apachectl -t -D DUMP_VHOSTS

I don't know your O/S so might need apache2ctl or httpd instead


running apachectl -t -D DUMP_VHOSTS returns:

VirtualHost configuration:
*:80          (/etc/httpd/conf/httpd.conf:536)

So I think that's fine.

My home router has it forwarded fine as well.

I did move to a different address with a new ISP, and running a port scan indicated that ports 1-442 were blocked. I am attempting to get 80 unblocked with the ISP to see if that may resolve it

1 Like

Okay, they were about as useful as sandpaper by the toilet. It looks like I may have the final problem as displayed in this post (ISP blocking the port). Do you know how I'd be able to address that (ie using the DNS-01 challenge rather than an http-01 challenge?)

The main "trick" to DNS-01 authentication is being able to automate the changes in your DNS zone.
This requires your DSP to allow changes via API.

  • Not all ACME clients can do that.
  • Not all DSPs allow that.

There is also TLS-ALPN-01 authentication.

  • Not all ACME clients support this.
  • Not all web services support this.

Here is a place to start looking for DNS Providers (DSP)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.