Issue updating certificate - Timeout issues?

Just recently on our Windows Server 2019 with the latest July Updates, we have been having an issue updating the Let’s Encrypt certificate which is controlled by CertifyTheWeb.

Here is the issue:

2021-08-02 10:06:03.503 +01:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed:
Fetching Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection

The edge firewall has all open ports to this server as a test - when this used to work only port 80 and 443 were open so have all ports open should work. The firewall on the server is switched off.

Uninstalling and re-installing CertifyTheWeb makes no difference.

Can anyone help troubleshoot this as I’m not sure what else the issue could be.

Have you tried a server reboot? I’ve found windows firewall can occasionally be problematic especially if you have made changes.

The problem is almost definitely port 80:

  • either your virtual machine host doesn’t allow tcp port 80
  • windows firewall is in an unusual state and needs a reboot
  • your firewall is not forwarding port 80 to the correct server

If you have a license with us and need more help please email support at with your log file and I can look into it in more detail for you.

Yeah, we tried that and disabling Sophos AV too.

Thing is on the server and remotely we can browse to and on both the server and the remote device, the page displays with OK so we know http is working as it should.

Try using - it’s possible you have an IPv6 Address and IPv4, Let’s Encrypt will choose IPV6 if that’s the case.

Cheers for the web address. That reports:

A timeout was experienced while communicating with sub domain co uk/ Get “http://sub.domain co uk/.well-known/acme-challenge/letsdebug-test”: context deadline exceeded

Yet i am able to browse to http://sub domain co uk without any issues on port 80.


The edge firewall was the issue and we had turned on GeoBlocking. We forgot that Let’s Encrypt doesn’t use a UK IP Address.

Temporally turning off GeoBlocking enabled the server to connect to Let’s Encrypt and request a new certificate which it is now using.

1 Like

Great, glad you got it resolved. An alternative to using http validation is to use DNS validation, that way you don’t need port 80 open at all and there is no requirement to even run a web server for the domains you want to cover.