The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
certbot certonly --standalone
It produced this output:

Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel):
Renewing an existing certificate for

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Type:   connection
  Detail: Fetching Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at See the logfile C:\Certbot\log\letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
Nginx 1.23.3
The operating system my web server runs on is (include version):
Windows 11 Pro

I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.2.0

The domain 100% works. If I run an Nginx server, I can curl my domain on port 80. I stopped the server before running the command

Is the certificate for the nginx server? Because using the --webroot method might be easier as you can leave nginx running.

Debugging standalone is harder but you can do this

certbot certonly --standalone -d --debug-challenges -v --dry-run

This will pause and show you the URL the Let's Encrypt server will use to validation your domain. Leave this paused and try the URL from outside your local network. Use a cell phone with wifi off, for example, to use the carrier's network.

Once this is working remove the --dry-run, --debug-challenges, and -v to get a production cert

Right now we cannot see your domain from the public internet but if you don't have nginx running that is expected.


I connected to the internet through my phone just as you said.ssh
I can connect to both SSH and the NGINX server

However, I cannot get the callenge:

This seems very weird

That's not quite what I meant. If that ssh is on the same Windows machine that's not the same as accessing your domain from the public internet. I meant to use your phone w/wifi off and use a browser (or other client) on your phone to access your domain. With --standalone paused you could even just try your domain without the long URI shown by Certbot. You should get some response other than timeout.

Let's back up though. What do you plan to use the cert for? Certbot isn't well integrated to Windows and there may be a better Windows focused ACME Client for your situation.

And, if it's just for nginx the --webroot method is much easier to debug and doesn't need your nginx server to be down.

Before moving forward trying to find out why --standalone isn't working, let's make sure this is a good method.


I used webroot and it just worked. Idk why standalone didn't.
Thanks a lot for your help and effort!


Windows has port sharing possibility which Certbot doesn't do as it wants exclusive access. And, sometimes Certbot does not report failures of it getting access to port 80 for this reason. It's probably related to this.

I thought nginx also used exclusive port access but maybe not. Glad you got something working


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.