Problems getting SSL certbot working during install [NAT]

I’m getting the following error when using the auto setup option for Let’s Encrypt:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Type: connection
Detail: Fetching Timeout during connect (likely firewall problem)

I’m running this on Rocky Linux 9.1 as VM on HyperV. Is there a doc on what firewall settings I need for this to work?

Hi @cwhitmore do you have port 80 open? Is ipv6 enabled/disabled?

Thanks Garrett. I did have to open port 80. Also, ipv6 is enabled. I’m guessing that needs to be disabled?

1 Like

I think it needs to be enabled.

Unfortunately, I’m still getting the same error. I did notice when it tried to generate the certificate that it said ports 80 and 443 were already opened.

Here is a portion of the log /var/log/letsencrypt/letsencrypt.log where it seems to have problems. (I changed the server name and WAN IP.)

2023-03-20 14:23:05,316:DEBUG:urllib3.connectionpool: "POST /acme/authz-v3/212519866957 HTTP/1.1" 200 1110
2023-03-20 14:23:05,317:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 20 Mar 2023 19:23:05 GMT
Content-Type: application/json
Content-Length: 1110
Connection: keep-alive
Boulder-Requester: 1018551267
Cache-Control: public, max-age=0, no-cache
Link: <>;rel="index"
Replay-Nonce: 327C0E4iO0uGSXork7bjnJtNRfIHrF_zo2VWjE7B2ytu6hA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

  "identifier": {
    "type": "dns",
    "value": ""
  "status": "invalid",
  "expires": "2023-03-27T19:22:54Z",
  "challenges": [
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": " Fetching Timeout during connect (likely firewall problem)",
        "status": 400
      "url": "",
      "token": "RhiLenRrF8aaYP-Jd-rpWCmo0N63GRK7_B0hpUq2CGg",
      "validationRecord": [
          "url": "",
          "hostname": "",
          "port": "80",
          "addressesResolved": [
          "addressUsed": ""
      "validated": "2023-03-20T19:22:55Z"

@cwhitmore I would next look at webserver config. If there is no handling of the /.well-known path that would be a 400.

This turned out to be a NAT issue.