Let's Encrypt "Failed to obtain certificate ..."


Problem Description
I am trying to obtain certificates via Let’s Encrypt, but I get an error.

Steps to Reproduce

  1. Login to FreedomBox.
  2. Go to Let’s Encrypt application page.
  3. Click on the install button.
  4. Get an error (see below)

Expected Results
I expected to see a message confirming the certificates.

Actual results
I get an error with the following message:

Failed to obtain certificate for domain *****.freedombox.rocks: Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for *****.freedombox.rocks Using the webroot path /var/www/html for all unmatched domains. Waiting for verification… Cleaning up challenges Failed authorization procedure. .freedombox.rocks (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://.freedombox.rocks/.well-known/acme-challenge/dfnc2dGIZr6NQKOzlQasq4H8E0CYpcLSwD3BRCLzjKU: Timeout during connect (likely firewall problem)


  • FreedomBox version: FreedomBox version 19.1 (Debian GNU/Linux buster/sid)
  • Hardware: Beagle Bone Black
  • How did you install FreedomBox?: downloaded testing images from https://freedombox.org
    • Note that I have a domain registered at gnudip and set under general configurations.
How to set up a connection TO a VPN

Please check if <mydomain>.freedombox.rocks is actually mapped to your IP address, both in GnuDIP and manually.

  • Login to GnuDIP and verify your IP address. You can also update your IP address there if it’s wrong.
  • Run ping <mydomain>.freedombox.rocks in a terminal and see what IP address it shows.

Once you’ve checked the IP address and domain name mapping, check if your FreedomBox is actually reachable on the IP address by entering it in a browser. If it’s not, you might have to do port-forwarding in your router for https (port 443).


Thank you for the help!

  • I did port-forwarding on the router (ports 80 and 443).
  • I verified my IP address and tried to reach my FreedomBox in a browser. I get a time out.

I think I figured out the problem, though. I think my ISP (PYUR, was Tele Columbus, in Germany) uses a Carrier-Grade NAT (CGN). When I checked my router’s IPv4 address it appears to be a private address (e.g., 100...**).

What options are there for getting around a CGN to access a FreedomBox?

  • We have Pagekite from pagekite.net which is a paid service (but free software friendly). It works for web applications and SSH but not for Matrix federation, ejabberd and other services which have special ports.
  • We have Tor Hidden Service which again works for web applications and SSH but not for other services. Further, it only works from Tor network such as by using the Tor Browser.
  • We are exploring other ways where one can use a remote server (such as a VPS) to forward all the traffic over VPN. But this is not implemented yet.

Thanks for the reply.

It works for web applications and SSH but not for Matrix federation, ejabberd and other services which have special ports.

I checked the manual but did not find much information about which services work over Tor or Pagekite. Do you know which services do and do not work? I will update the manual with a list.