Sudo certbot --nginx error - domain timeout

Please fill out the fields below so we can help you better.

My domain is: not public :-/

I ran this command: sudo certbot --nginx

It produced this output:

  • The following errors were reported by the server:

    Type: connection
    Detail: Timeout

    Type: connection
    Detail: Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Nginx/ 1.10.3

The operating system my web server runs on is (include version):
Ubuntu 16.4.0

My hosting provider, if applicable, is: DO

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I am Gandi customr and my control panel look like: (first image) the first line = A Record?

I have really no idea what i have to do now?! q:slight_smile:

edit: add:

sudo ufw allow https
sudo ufw allow 443
sudo ufw allow proto tcp from any to any port 80,443

Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.
Please see the logfiles in /var/log/letsencrypt for more details.

First, I’d suggest adding the --dry-run flag to your certbot commands until you start being able to validate successfully. This runs against the staging server and has a separate (and much higher) rate limit for most things, including authz failures. You’ll be able to try again against production servers an hour after your first failure (the limit is 5/hour, with a sliding window.)

That error indicates that Let’s Encrypt is unable to reach your web server. Are you sure it’s publicly available? Try loading it from your phone instead of your local network, for instance. You’re correct about the first line of that being an A record, which would be for just ‘’. You’ll want another A record for ‘www’ as well, so that ‘’ also resolves. Let us know if you’re able to access this externally first and we’ll go from there.

One other thing to look at is if you are announcing IPv6 addresses (AAAA records) that your server is not able to properly respond to. That’s a really common issue.

I will warn you, if this does end up being a DNS issue, it can be really tough to diagnose those remotely without knowing the domain. I’ll also warn you that once you issue a certificate, your domain is no longer secret anyway, as it will be logged to the publicly available certificate transparency logs.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.