Skip to content

Challenge failed for domain – Certbot error – How to fix?

I was setting up letsencrypt certificates to enable SSL on one of my ubuntu servers. I mapped a domain (zumpdo.xyz) to my server, installed nginx and I ran the certbot certificate generator using the following command.

sudo certbot --nginx -d zumpdo.xyz -d www.zumpdo.xyz

I got this error.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.zumpdo.xyz
http-01 challenge for zumpdo.xyz
Waiting for verification...
Challenge failed for domain www.zumpdo.xyz
Challenge failed for domain zumpdo.xyz
http-01 challenge for www.zumpdo.xyz
http-01 challenge for zumpdo.xyz
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.zumpdo.xyz
   Type:   connection
   Detail: Fetching
   http://www.zumpdo.xyz/.well-known/acme-challenge/_HsorBSWytofXEPBUOifaF8JC6DmWN2FE1zzUjh9zlk:
   Timeout during connect (likely firewall problem)

   Domain: zumpdo.xyz
   Type:   connection
   Detail: Fetching
   http://zumpdo.xyz/.well-known/acme-challenge/qS6VsLSQQulJK_z1dq02XO5JqYAvdcZBZtaxzz97V10:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

It gives a hint that it’s likely a firewall issue. The problem is http and https ports were not exposed from my server. I had to add a rule to allow inbound traffic to the port 80 for http and 443 for https.

I tried to create the certificates again and voila!

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.zumpdo.xyz
http-01 challenge for zumpdo.xyz
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/default

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/default

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://zumpdo.xyz and
https://www.zumpdo.xyz

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=zumpdo.xyz
https://www.ssllabs.com/ssltest/analyze.html?d=www.zumpdo.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/zumpdo.xyz/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/zumpdo.xyz/privkey.pem
   Your cert will expire on 2021-04-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
See also  Get OS version (32 bit or 64 bit) in Linux

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.