Troubleshooting firewalls

My domain is:

I ran this command:
certbot --authenticator webroot --webroot-path=/var/www/letsencrypt --installer nginx --email xxxxx@yyyyyy.zzz --non-interactive --domain --agree-tos

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Timeout during connect (likely firewall problem)

 - The following errors were reported by the server:

   Type:   connection
   Detail: Fetching
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):

The operating system my web server runs on is (include version):
debian stretch (9)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I am starting to consider networking a form of voodoo.
I ran:

$ nmap

Starting Nmap 7.40 ( ) at 2018-05-17 21:53 CEST
Nmap scan report for (
Host is up (0.0051s latency).
rDNS record for
Not shown: 997 filtered ports
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

And then logged in via ssh. When visiting the webpage, I am forced to use https and there is a tls handshake failure (of course). I seem to be running in circles. Any help would be greatly appreciated.


Hi @oneyb,

I can’t access your site at all in HTTP or HTTPS, which makes me think that the error message is probably right—there may be a firewall preventing the general public from reaching your site. Have you tried accessing it from somewhere other than the local network?

Hi Seth,

thanks for the quick reply.

/ -Pn

Starting Nmap 7.31 ( ) at 2018-05-18 01:12 CEST

mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers

mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers

Nmap scan report for (

Host is up (0.063s latency).

Not shown: 998 filtered ports


80/tcp open http

443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 113.76 seconds

Strangely, it missed the open ssh port…voodoo.

I have port forwarding enabled.

HTTP from a browser doesnt work. The error is correct of course, but I’m stuck correcting it.

I see something different:

80/tcp  filtered http
443/tcp filtered https

So, what kind of connection are you running your nmap scan from?

That one was from a broadband mobile connection.

Well, I think there must be a firewall of some sort somewhere, as I’ve tried from two different ISPs and gotten “filtered” as seen from both of them!

Yes, of course. Do you have any ideas how to identify where the filtering is happening?

What further confuses me is (edited for security):

$ ssh
Linux box 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1+deb9u1 (2018-05-07) x86_64

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 17 22:01:47 2018 from
~ $

So ssh is not a problem. My ISP says to do port forwarding in the router, which I have done for both 80 and 443.

Are you somehow using the same ISP that’s hosting this server?

The subdomain is registered with I am hosting it here at home. So, no, I am not. Well… yes technically, I am.

Is that ISP also the broadband ISP that you used for port scanning, or a different one?

I am pretty sure that’s not the case. The broadband mobile is provided by a different company, I think. Why do you ask? You are wondering why you see a different internet that I do?

Yes, exactly. I imagine that the Let's Encrypt CA is ending up with effectively the same view of your server that I have (in which these ports appear as filtered and don't respond to the TCP connection), so I wonder why that's true for some Internet users but not from your perspective on the Internet.


His server IP and all IPs in that range have port 80 blocked.

@oneyb Can you try hook your server on to your home broadband and try if that work? Cause the ISP you use now has port 80 blocked.

Thank you

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.