LetsEncrypt could not connect to verify the domain (timeout)

Question

I'm trying to set up a SSL certificate for my Nextcloud server with LetsEncrypt, but when I run:

$ sudo certbot certonly --webroot -w /var/www/nextcloud --agree-tos \
     --no-eff-email --email [email protected] -d cloud.domain.com --rsa-key-size 4096

(based on this tutorial: https://howto.wared.fr/ubuntu-installation-nextcloud-nginx/)

I got this error message:

Failed authorization procedure. cloud.domain.com (http-01): urn:acme:error:connection :: 
The server could not connect to the client to verify the domain ::
Fetching http://cloud.domain.com/...: Timeout during connect (likely firewall problem)

(I have already opened firewall ports 80 & 443)

As my router only uses IPv6, I could not set up the port forwarding to point to my server (ubuntu 18.04), is that the most potential problem? If yes, do I have to contact my ISP to re-enable IPv4?

If no, what could it be?

Forget about LetsEncrypt for a bit. First solve the problem of connecting to your server. — ctrl-alt-delor, Jul 17 '18 at 10:16

Vlastimil Burián · Answer 1 · 2018-07-17T10:31:20.613

You definitely need to ensure public IPv4 is enabled on your router. Without it only a handful of people would be able to connect to you, that taken into account, I believe you have some firewall issue on your server. Please post:

sudo iptables --list --verbose --line-numbers

As my router only uses IPv6, I could not set up the port forwarding to point on my server (ubuntu 18.04), is that the most potential problem? If yes, do I have to contact my ISP to re-enable IPv4?

As I don't fully grasp this sentence, I will say:

You need IPv4 public IP address assigned on your router
If you don't have it, then yes, you need to contact your provider

Afterwards, please make sure you have forwarded ports 80 and 443 from your router to your server.

You don't need IPv4, but without it few people will be able to connect. — ctrl-alt-delor, Jul 17 '18 at 10:17

score 0 · Answer 2 · answered Jan 13 '21 at 15:10

Maybe this helps anyone, If you using an Amazon EC2 instance, first try to check the DNS propagation is successfully set, you can use: https://letsdebug.net/ If everything correct, then try to verify if your group security (EC2 > Security Groups > nameOfGroup) has these Inbound rules:

Type          |   Protocol  |  Port range | Source    | Description - optional
HTTP          |   TCP       |   80        | 0.0.0.0/0 | -
SSH           |   TCP       |   22        | 0.0.0.0/0 | -   
HTTPS         |   TCP       |   443       | 0.0.0.0/0 | -

LetsEncrypt could not connect to verify the domain (timeout)

2 Answers2