Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.mindtrek.dnsalias.net (several hostnames)
lego client always worked and no longer works
switched to acme.sh and have same exact behavior
What happens (with lego client 4.22 or earlier Linux or Windows, or acme.sh):

• with csr or single domain specified same result
• authentication tokens are probably written and then deleted in /.well-known/acme-challenge (all permissions in place for the client)
• after a few retries the client exits with a "timeout" error message (Invalid status. Verification . . .: Fetching http://about.mindtrek.dnsalias.net/.well-known/acme-challenge/gsEF_ffwmUbW7NX_WuWLRxd4UGSsJ_siq22unNe27Fo: Timeout during connect (likely firewall problem))
• !!! as mentioned there was no GET coming from the letsencrypt server and there
• but a tcpdump trace and the nginx logs sdhow no connection attempt
• creating the same token with vi in the acme-challenge folder and accessing it (e.g.) at http://about.mindtrek.dnsalias.net/.well-known/acme-challenge/ works fine from curl or a browser

I ran this command:
lego client (single domain not even with csr)
./lego --email="contact@mindtrek.dnsalias.net" --domains="www.mindtrek.dnsalias.net" --http --http.webroot=/var/www/html/4lego_mindtrek.dnsalias.net --accept-tos --http-timeout=300 run
acme.sh:
./acme.sh --log --server letsencrypt --issue --signcsr --csr ./mindtrek_all_any.csr -w /var/www/html/4lego_mindtrek.dnsalias.net | tee acme_sh.log

It produced this output:

[Tue Mar 11 02:32:00 UTC 2025] about.mindtrek.dnsalias.net: Invalid status. Verification error details: 37.27.253.25: Fetching http://about.mindtrek.dnsalias.net/.well-known/acme-challenge/gsEF_ffwmUbW7NX_WuWLRxd4UGSsJ_siq22unNe27Fo: Timeout during connect (likely firewall problem)
[Tue Mar 11 02:32:00 UTC 2025] Please check log file for more details: /root/.acme.sh/acme.sh.log

My web server is (include version):
nginx 1.26.2 or apache 2.4 same behavior

The operating system my web server runs on is (include version):
Ubunto 24 x64

My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No, strait cli

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
It is not certbot - lego 4.22 and acme.sh latest

In the acme.sh log (more verbose than lego) can see
[Tue Mar 11 00:31:14 UTC 2025] Verifying: about.mindtrek.dnsalias.net
[Tue Mar 11 00:31:14 UTC 2025] d='about.mindtrek.dnsalias.net'
[Tue Mar 11 00:31:14 UTC 2025] keyauthorization='QJ8fNDLE_bi9hRHFlpirUBbPDtM578oedjedCzTn1XE.VkgCNKsVKO3HpNJWf8DiOxczHYP7SysLgb2knGwYoSk'
[Tue Mar 11 00:31:14 UTC 2025] uri='https://acme-v02.api.letsencrypt.org/acme/chall/2274296956/487869013746/tVZI0w'
[Tue Mar 11 00:31:14 UTC 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/2274296956/487869013746'
[Tue Mar 11 00:31:14 UTC 2025] _currentRoot='/var/www/html/4lego_mindtrek.dnsalias.net'
[Tue Mar 11 00:31:14 UTC 2025] wellknown_path='/var/www/html/4lego_mindtrek.dnsalias.net/.well-known/acme-challenge'
[Tue Mar 11 00:31:14 UTC 2025] Writing token: QJ8fNDLE_bi9hRHFlpirUBbPDtM578oedjedCzTn1XE to /var/www/html/4lego_mindtrek.dnsalias.net/.well-known/acme-challenge/QJ8fNDLE_bi9hRHFlpirUBbPDtM578oedjedCzTn1XE
[Tue Mar 11 00:31:14 UTC 2025] Trigger domain validation.
[Tue Mar 11 00:31:14 UTC 2025] _t_url='https://acme-v02.api.letsencrypt.org/acme/chall/2274296956/487869013746/tVZI0w'
[Tue Mar 11 00:31:14 UTC 2025] _t_key_authz='QJ8fNDLE_bi9hRHFlpirUBbPDtM578oedjedCzTn1XE.VkgCNKsVKO3HpNJWf8DiOxczHYP7SysLgb2knGwYoSk'
[Tue Mar 11 00:31:14 UTC 2025] _t_vtype='http-01'
[Tue Mar 11 00:31:14 UTC 2025] =======Sending Signed Request=======
[Tue Mar 11 00:31:14 UTC 2025] url='https://acme-v02.api.letsencrypt.org/acme/chall/2274296956/487869013746/tVZI0w'
[Tue Mar 11 00:31:14 UTC 2025] payload='{}'
. . .

[Tue Mar 11 00:31:26 UTC 2025] code='200'
[Tue Mar 11 00:31:26 UTC 2025] original='{
"identifier": {
"type": "dns",
"value": "about.mindtrek.dnsalias.net"
},
"status": "invalid",
"expires": "2025-03-18T00:31:05Z",
"challenges": [
{
"type": "http-01",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall/2274296956/487869013746/tVZI0w",
"status": "invalid",
"validated": "2025-03-11T00:31:14Z",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "37.27.253.25: Fetching http://about.mindtrek.dnsalias.net/.well-known/acme-challenge/QJ8fNDLE_bi9hRHFlpirUBbPDtM578oedjedCzTn1XE: Timeout during connect (likely firewall problem)",
"status": 400
},
"token": "QJ8fNDLE_bi9hRHFlpirUBbPDtM578oedjedCzTn1XE",
"validationRecord": [
{
"url": "http://about.mindtrek.dnsalias.net/.well-known/acme-challenge/QJ8fNDLE_bi9hRHFlpirUBbPDtM578oedjedCzTn1XE",
"hostname": "about.mindtrek.dnsalias.net",
"port": "80",
"addressesResolved": [
"37.27.253.25"
],
"addressUsed": "37.27.253.25"
}
]
}
]
}'

Hello @mr401b, welcome to the Let's Encrypt community.

The HTTP-01 challenge states "The HTTP-01 challenge can only be done on port 80."

Using the online tool Let's Debug yields these results https://letsdebug.net/about.mindtrek.dnsalias.net/2388323

image1009×487 8.63 KB

And from around the world here Permanent link to this check report shows "Connection timed out".

Best Practice - Keep Port 80 Open

Try if from a location not on your LAN, like a cellphone with Wi-Fi OFF.

Retried and same result although the Letsencrypt IPs arfe open in the FW
This below is from my local getting out on Internet on 76.69.165.115

curl http://about.mindtrek.dnsalias.net/.well-known/acme-challenge/letsdebug-test

letsdebug-test-1
letsdebug-test-2
letsdebug-test-3
This is what's opened in the FW corresponding to the nslookup for

• acme-v01.api.letsencrypt.org
• acme-staging.api.letsencrypt.org
• acme-v02.api.letsencrypt.org
• acme-staging-v02.api.letsencrypt.org
• image|690x54](upload://lRUfxWMiYF7NtiueHy70yCYmpUP.png)

Very strange indeed. Unfortunately I do not have access to the FW logs

When I opened everything it reported "no issue"

image1051×258 13.8 KB

And the GET requests to tokens in /.well-known/acme-challenge are coming from a bunch of IP addresses in AWS EC2 that might change over time. Therefore should the FW be open to the world?
54.254.200.14
54.201.75.93
54.201.127.138
52.77.255.163
47.130.1.42
44.246.248.237
35.95.117.138
34.217.126.65
3.22.120.242
3.17.4.198
3.143.113.47
23.178.112.216
23.178.112.215
23.178.112.214
23.178.112.212
23.178.112.104
23.178.112.101
23.178.112.100
18.189.182.179
16.171.233.56
13.61.178.51
13.60.190.250
13.53.243.165
13.49.183.211
13.212.170.136

Yes. That has long been the case, if not always.

Sill failing https://letsdebug.net/about.mindtrek.dnsalias.net/2388712

image1290×2796 407 KB

In practice the validation requests are coming from countries that are not particularly controversial (subjective, I know) so you can still block specific problematic countries and validation will usually succeed.

If you feel strongly about blocking port 80 geographically you could consider using a web application firewall which can limit port 80 traffic to /.well-known/acme-challenge/ requests.

If you would rather block port 80 you can switch to DNS validation instead of HTTP.