Timeout during connect When standalone mode

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
sudo certbot certonly --standalone
It produced this output:
root@vultr:~# sudo certbot certonly --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): caoyx.cyxhj.buzz
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for caoyx.cyxhj.buzz
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. caoyx.cyxhj.buzz (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://caoyx.cyxhj.buzz/.well-known/acme-challenge/oqA-qUTVR3UE2EJktc0fgVl2vIV-_ZBx9V1m-Oyq0eU: Timeout during connect (likely firewall problem)


  • The following errors were reported by the server:

    Domain: caoyx.cyxhj.buzz
    Type: connection
    Detail: Fetching
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
standalone mode

The operating system my web server runs on is (include version):
Ubuntu 18.04 LTS x64

My hosting provider, if applicable, is: vultr

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

And other clues:

  1. When i start a nginx server on my instance, it works. and it can be visited via chrome. ping success, telnet ip 80 or 8080 is ok
  2. I'm in china

letsencrypt.txt (124.2 KB)

@IanCao , welcome to the community!

For me the website access reports "No route to host":

pi@raspberrypi:~ $ curl -s -v 'http://caoyx.cyxhj.buzz/' > /dev/null
*   Trying
* Expire in 200 ms for 4 (transfer 0x5b5950)
* connect to port 80 failed: No route to host
* Failed to connect to caoyx.cyxhj.buzz port 80: No route to host
* Closing connection 0
pi@raspberrypi:~ $ 

The program traceroute reports similar thing:

tumbleweed:~ # traceroute -T -p 80 caoyx.cyxhj.buzz
traceroute to caoyx.cyxhj.buzz (, 30 hops max, 60 byte packets
 7  ntt-5.gw.opentransit.net (  18.613 ms  17.235 ms  17.833 ms
 8  ae-3.r20.frnkge13.de.bb.gin.ntt.net (  18.551 ms  17.745 ms  17.777 ms
 9  * ae-14.r21.londen12.uk.bb.gin.ntt.net (  23.491 ms ae-12.r21.parsfr04.fr.bb.gin.ntt.net (  19.677 ms
10  ae-13.r24.asbnva02.us.bb.gin.ntt.net (  99.959 ms  110.501 ms  95.619 ms
11  ae-2.r25.lsanca07.us.bb.gin.ntt.net (  154.162 ms  153.491 ms ae-2.r24.snjsca04.us.bb.gin.ntt.net (  153.692 ms
12  ae-5.r26.osakjp02.jp.bb.gin.ntt.net (  536.078 ms  251.591 ms ae-1.r24.lsanca07.us.bb.gin.ntt.net (  154.853 ms
13  ae-0.r27.osakjp02.jp.bb.gin.ntt.net (  262.879 ms ae-5.r27.osakjp02.jp.bb.gin.ntt.net (  246.805 ms  259.705 ms
14  ae-3.r00.seolko02.kr.bb.gin.ntt.net (  296.946 ms  288.752 ms  297.068 ms
15  xe-0-2-0-1-3.r00.seolko02.kr.ce.gin.ntt.net (  285.106 ms  289.780 ms  299.456 ms
16 (  303.103 ms !X  305.498 ms !X  307.991 ms !X
tumbleweed:~ # 

Please note the ICMP reply type !X on the last line of the traceroute. It means "communication administratively prohibited".


@IanCao I can connect to your domain using HTTPS just fine (link here). It looks like you fixed your problem. Do you need any more help?

I see you don't have port 80 (http) open. That works ok if you plan to use --standalone for cert renewal. But, the recommended approach is to keep port 80 open so visitors to your site using HTTP can be redirected to HTTPS. See below topic

Note though that if you start using nginx to handle port 80 you will need to stop using --standalone and instead use --webroot or maybe --nginx authentication.


And I presently see

$ nmap -Pn caoyx.cyxhj.buzz
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-11 17:41 UTC
Nmap scan report for caoyx.cyxhj.buzz (
Host is up (0.19s latency).
rDNS record for
Not shown: 993 closed ports
22/tcp   open     ssh
25/tcp   filtered smtp
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
443/tcp  open     https
445/tcp  filtered microsoft-ds
9999/tcp open     abyss

Nmap done: 1 IP address (1 host up) scanned in 19.14 seconds

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.