The Certificate Authority failed to download the temporary challenge files created by Certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://baryah.no-ip.org

I ran this command: 'letsencript' from 'nc_webui' in 'nextcloudpi' installation.

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for baryah.no-ip.org

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: baryah.no-ip.org
Type: connection
Detail: During secondary validation: 117.208.191.162: Fetching http://baryah.no-ip.org/.well-known/acme-challenge/6g_hbCpxfSH3kbUjbWhcGJG3U01B0K7On7BacLH9gAQ: Timeout after connect (your server may be slow or overloaded)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.65

The operating system my web server runs on is (include version): Armbian-unofficial 24.2.1 Bookworm \l . 6.6.18-current-bcm2711 (aarch64)

My hosting provider, if applicable, is: selfhosting on raspberry pi v4

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): provided along with the local installation of 'nextcloudpi' accessable at https://:4443

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

while the command was running I could see the file "6g_hbCpxfSH3kbUjbWhcGJG3U01B0K7On7BacLH9gAQ" at "/var/www/nextcloud/.well-known/acme-challenge/" and download it using "http://baryah.no-ip.org/.well-known/acme-challenge/6g_hbCpxfSH3kbUjbWhcGJG3U01B0K7On7BacLH9gAQ" in a web-browser.

I have been nhosting the nextcloudpi for many years annd facing this problem now only

Do you have any geocaching?

This means that some locations could fetch the challenge file, but others could not.

That seems to be a problem.

I also ran

sudo /usr/bin/certbot certonly -v --dry-run --webroot --agree-tos --redirect --hsts --staple-ocsp -d baryah.no-ip.org -w /var/www/nextcloud

and got the following output -

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Simulating a certificate request for baryah.no-ip.org
Performing the following challenges:
http-01 challenge for baryah.no-ip.org
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Challenge failed for domain baryah.no-ip.org
http-01 challenge for baryah.no-ip.org

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: baryah.no-ip.org
  Type:   connection
  Detail: During secondary validation: 117.208.191.162: Fetching http://baryah.no-ip.org/.well-known/acme-challenge/EXtH0fmRd0uL26_ePOSbgTIORZZbGkqwBY10fTM613c: Timeout after connect (your server may be slow or overloaded)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I concur with @Bruce5051 and @petercooperjr.

And again @baryah the same issue.

Let’s Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt.
This means that your webserver needs to be able to be seen from anywhere around the world for the URLs like http://baryah.no-ip.org/.well-known/acme-challenge/sometokentestfilename
Presently that is not the case as Peter has shown.
And shown again here Permanent link to this check report

Please check your firewall rules.

Also please see

Also the Nextcloud forums https://help.nextcloud.com/ might also be of assistance for you.

I also began experiencing this problem today, so I am watching for suggestions. I was also thinking that it might be firewall related, because the server in question is the frequent target of data harvesting AI bots, and we've taken sort of a brute force approach to blocking whole sets of ASN networks, especially if they originate from certain countries.

Can you provide the IP addresses we need to make sure are allowed?

Just saw, and read, this one:
Unexpected renewal failures since April 2024? Please read this!

I'll just say it would be extraordinarily helpful to know what the IP addresses are, if for no other reason than to verify that unblocking them would solve the problem for now.

I guess I'll have to disable my firewall briefly to verify that it's a firewall issue.

Please read this post that was posted earlier. It explains all you need about that