The Certificate Authority failed to verify the manually created challenge files

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command:certbot certonly --manual --csr C:\resin-4.0.44\keys\gryffindor.csr --preferred-challenges "http"

It produced this output:
2021-12-28 08:43:44,373:INFO:certbot._internal.auth_handler:Challenge failed for domain
2021-12-28 08:43:44,373:INFO:certbot._internal.auth_handler:http-01 challenge for
2021-12-28 08:43:44,373:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Type: connection
Detail: Fetching Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

My web server is (include version):resin-4.0.44

The operating system my web server runs on is (include version):Windows Server 2012 R2 Standard

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot version: 1.19.0

Hi @fhhs and welcome to the LE community forum :slight_smile:

You will need a working HTTP site before it can be secured (via HTTP authentication).


I have confirmed that the http site is working properly.
like this:

It looks like you got a new certificate today. See |

Do you still need help?

Update: @fhhs Earlier today when I quickly looked at your problem your server was sending an expired certificate but it was sending a complete chain. Now, you are sending just the server "leaf" certificate but not the chain. You should restore the setting that sent the whole chain but using your new certificate (from fullchain.pem). You can view your cert and chain with a site like this:


Thank you very much, I have completed Certificate request.


But you still have one more issue:

  • IPv4 and IPv6 do not serve the same content:
curl -Ii4
HTTP/1.1 302 Found
Content-Length: 65

curl -Ii4
HTTP/1.1 200 OK
Content-Length: 416

curl -Ii6
curl: (56) Recv failure: Connection reset by peer

curl -Ii6
curl: (7) Failed to connect to port 443: Connection timed out

Notice the different return codes, lengths, and error messages.

Addresses: 2001:288:8219:1::65

IPv4 and IPv6 do not serve the same content

Related issues have been resolved.
Thank you very much.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.