The Certificate Authority failed to download the temporary challenge files created by Certbot

Hi,
We have setup nginx with outh-2 to secure our web server, now we are trying to generate SSL with certbot but it gives below error, please help.

"Requesting a certificate for example.com
certbot |
certbot | Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot | Domain: example.com
certbot | Type: connection
certbot | Detail: x.x.x.x: Fetching http://example.com/.well-known/acme-challenge/NZ81qPhgw_aGWRCknGlktaBVkMPI6PGAxxxxxxxx: Timeout during connect (likely firewall problem)
certbot |
certbot | Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
certbot |
certbot | Some challenges have failed.
"

Hi @meoptimusprime, and welcome to the LE community forum

That means LE servers were unable to reach your site [via HTTP (TCP port 80)].

The message had these suggestions:

Have you checked any of that?

Note: Without your actual domain name, we are not able to do any actual troubleshooting.
You could try using an online validation tool, like:
https://letsdebug.net/

Thanks for your input,
Actually we are using DDNS for our main domain which is company.ddns.net and we created a CNAME record for new domain "door.company.net" in our DNS record which is pointing to our main ddns domain, just to access that web server.
Now from letsdebug.net, when i test http for our main ddns domain, it reaches but gives error of missing A or AAA record but for new domain door.company, it does not reach at all.

Double-check the CNAME record.

CNAME is correct, its resolves to same IP as of our ddns record.

Now the error has been changed when i tried from another internet in Letsdebug.
Error details below:

ANotWorking

ERROR

bab.mozn.sa has an A (IPv4) record (x.x.x.x) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

A timeout was experienced while communicating with door.company.com/x.x.x.x: Get "http://door.comapny.com/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://door.comapny.com/.well-known/acme-challenge/letsdebug-test (using initial IP x.x.x.x)
@0ms: Dialing x.x.x.x
@10001ms: Experienced error: context deadline exceeded

Your site is unreachable via HTTP [TCP port 80] from the Internet.

Yeah,
When we run cerbot on port 80, it says port already in use. Whereas its not.

What are your actual domain names? Because the two below give very different results where you say they are the same. If these are not your domain names please stop using them. It is difficult to help debug comms problems without the real domain name.

Looking at the detailed results in the below links you will see these are different ip addresses which point to completely different kinds of servers

Hi,
Above mentioned domain are just dummy as an example, I did not advertise our real domains here.

Without the real domain names, we can't help you further. As stated in the questionnaire of the Help section (which you somehow didn't get or, more likely, purposely removed), providing the actual domain name is mandatory.

Witholding the actual domain name makes debugging WAY harder and providing fake domain names only confuses volunteers, wasting the time we put into helping other people.

There must be something using that port.
OR
certbot is somehow running without enough rights to start such a privileged service [unlikely].

Please show the output of:
netstat -pant | grep -i listen | grep 80

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.