I had to manually create acme-challenge but see no file in it, I am a root user

My domain is: secaucuspentecostals.org

I ran this command: sudo certbot --apache -d www.secaucuspentecostals.org -d secaucuspentecostals.org

It produced this output: Type: connection
Detail: Fetching http://www.secaucuspentecostals.org/.well-known/acme-challenge/DwA9iuQcQQd4HPNwM1kf_XYOZtl--Ai1CZZrmu8gkKI: Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2018-04-02 21:56:09,216:INFO:certbot.auth_handler:Cleaning up challenges

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): ubuntu 16.04

My hosting provider, if applicable, is: HOSTED FROM HOME THRU OPTIMUM ONLINE

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO




Hi @gevensen,

The problem is probably nothing to do with creating .well-known/acme-challenge (Certbot now creates that for you automatically with --apache), but probably with your ISP (or a firewall device) blocking incoming connections from the Internet to your port 80. Could you check that you don’t have a router or firewall policy preventing these inbound connections? And that your ISP doesn’t forbid them either?


Looks like @_az’s got a much more helpful answer here!


its operating normally from my office is am using managed dns with noip with a domain name, ports 80 and 443 are open to traffic. Is there any other ports to open?


It’s not accessible from anywhere else on the internet.


If you’re accessing it from within the same network where you’re hosting it, then this is not a reliable indicator that the ports are “open to traffic”.


OK thanks i guess i need to figure out why
my office is on comcast
whatsmydns shows the A name is propagated,


Are you sure you’re not accessing it via https://secaucuspentecostals.org/ from your office? Because that URL is accessible.

This would be consistent with port 80 being blocked but port 443 (https) not being blocked.

The other possibility I can think of is if you have a site-to-site VPN.


OK it says its open on my router but in the help it says its only open for business customers
alternately is it possible to force certbot into port 443?


Unfortunately not, the validation process must begin on port 80, due to a potential vulnerability with shared hosting.

If you can’t remove the port 80 block, your only other option is to use the DNS challenge rather than the HTTP challenge.


one more question on the DNS challenge it saysr Please deploy a DNS TXT record under the name
_acme-challenge.www.secaucuspentecostals.org with the following value: {value}
I cannot prepend the DNS TEXT to _acme-challenge.www.secaucuspentecostals.org
do it put
_acme-challenge.www.secaucuspentecostals.org={value} in the TXT record?


No, you need to create a new TXT record in your DNS manager.

Name: _acme-challenge.www.secaucuspentecostals.org
Record Type: TXT
Value: <whatever the random characters are>


on noip.com entering it in the text record as _acme-challenge.www.secaucuspentecostals.org={value} worked thanks for all the help


I was able to get the OOL support to escalate this and it turns out even though they have the port forwarding where you can enable it, they still have to open it up remotely from their end for any OOL user but they have to request it


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.