Renewal of SSL Certificate Failed "Timeout during connect (likely firewall problem)"

Hi i need some help in renewing our ssl certificate.

It says “Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.”

i have followed the steps in here.(Digital Ocean automatic HTTPS configuration | Passbolt documentation.)

but still failed why? we also open the port 80 and 443 in the digital ocean firewall.

i also check the configuration /etc/nginx/sites-enabled/nginx-passbolt.conf

what causes this issue?

Hey @nelsondev12 welcome to the forum!

Since you mention renewal, how come you are running the dpkg-reconfigure command? Did the automatic renewal not work correctly?

Typically with the Let’s Encrypt route you just set it once and then it’ll handle the renewals for you

Yes the auto renew is not working. and we cannot access the admin since it says " Your connection is not private".

It seems letsencrypt servers are not able to reach your server because of a timeout. Did you enabled firewall and opened port 80 ? It is mandatory for Let’s Encrypt to be able to auto-renew the certificate.

@AnatomicJC do you mean the ufw? when i check the ufw status it is inactive.

I think about firewall in Digital Ocean.

Something like that: Cloud Firewalls :: DigitalOcean Documentation

i now have new error after updating the firewall in the digital ocean

here is the firewall settings

Firewall settings are ok now. Maybe could you restrict ssh access on port 22/TCP to your IP address if you have a static IP address. It will reduce attacks on this port.

Let’s encrypt servers are now able to reach your server but they don’t find the file generated by certbot in https://your.domain/.well-known/acme-challenge/blablabla

You now have an issue with your nginx server settings. You should have cerbot and certbot-nginx packages installed.
It appears your nginx is not well configured to serve /.well-known/acme-challenge path.

Yes we will restrict access only to our IP address.

Not sure what should i change in my nginx configuration. but here is my nginx-passbolt.conf in /etc/nginx/sites-enabled/

#  Passbolt.conf - Nginx configuration file to run the Passbolt software.

server {

  # Managed by Passbolt

  client_body_buffer_size     100K;
  client_header_buffer_size   1K;
  client_max_body_size        5M;

  client_body_timeout   10;
  client_header_timeout 10;
  keepalive_timeout     5 5;
  send_timeout          10;

  root /usr/share/php/passbolt/webroot;
  index index.php;
  error_log /var/log/nginx/passbolt-error.log info;
  access_log /var/log/nginx/passbolt-access.log;

  # Managed by Passbolt
  include /etc/passbolt/nginx-ssl.conf;

  location / {
    try_files $uri $uri/ /index.php?$args;

  location ~ \.php$ {
    try_files                $uri =404;
    include                  fastcgi_params;
    fastcgi_pass             unix:/run/php/php8.1-fpm.sock;
    fastcgi_index            index.php;
    fastcgi_intercept_errors on;
    fastcgi_split_path_info  ^(.+\.php)(.+)$;
    fastcgi_param            SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param            SERVER_NAME $http_host;
    fastcgi_param PHP_VALUE  "upload_max_filesize=5M \n post_max_size=5M";

    #listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


server {
    if ($host = {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  listen 443 ssl http2;
  listen [::]:80;
    return 404; # managed by Certbot


Not sure why it cannot find. i reviewed the /etc/nginx/sites-enabled/nginx-passbolt.conf it already includes the necessary configuration.