Certbot certificate renewal failure

We have an issue with certbot SSL renewal. We have several sites under /etc/nginx/sites-available/.

We have this location block for .well-known directory

location ~ /\.well-known {
    auth_basic off;
    root /etc/letsencrypt;
    allow all;

and we have renewal configurations for each site under /etc/letsencrypt/renewal directory.
This is an example for one of them.

#renew_before_expiry = 30 days
version = 2.7.4
archive_dir = /etc/letsencrypt/archive/redacted.com
cert = /etc/letsencrypt/live/redacted.com/cert.pem
privkey = /etc/letsencrypt/live/redacted.com/privkey.pem
chain = /etc/letsencrypt/live/redacted.com/chain.pem
fullchain = /etc/letsencrypt/live/redacted.com/fullchain.pem

#Options used in the renewal process
allow_subset_of_names = True
account = 670273d7a9a89f2d3494cf6e38739b1c
rsa_key_size = 4096
post_hook = /bin/systemctl reload nginx
authenticator = webroot
webroot_path = /etc/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
redacted.com = /etc/letsencrypt

Our certbot version is 2.7.4 we upgraded from 1.32.0 and didnt work either.

We know our issue is related with ip6tables but we already have ACCEPT rules for 443 and 80 ports.

When we try to access acme-challenge files during certbot renew --dry-run we can successfully access the files. So 80 and 443 port shouldn’t be the problem.

When we change the ip6tables INPUT filter from DROP to ACCEPT all sites can renew but when we use INPUT DROP filter most of the sites fails to renew with this error.

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: redacted.com
Type: connection
Detail: xxx.xxx.xxx.xxx: Fetching https://redacted.com/.well-known/acme-challenge/EIJFF3UFqtZJCZtG_Kv9Ca7BGA5LiuBdb9JIWxXIhVg: Timeout during connect (likely firewall problem)

We already tried with minimum set of rules and tried to add 80 and 443 ports ACCEPT rules on top of the input chain but didnt work either. So we stuck in here.

Example nginx configuration can be found in following lines.

server {
    listen [::]:80;
    server_name .redacted.com;
    return 301 https://redacted.com$request_uri;

server {
    listen [::]:443 ssl http2;
    server_name redacted.com;
    access_log /var/www/log/access/redacted.access.log main buffer=32k;
    error_log /var/www/log/error/redacted.com.error.log notice;
    limit_conn gulag 200;
    root /var/www/web/redacted.com/web;
    index index.php;

    ssl_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/redacted.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/redacted.com/privkey.pem;
    include ssl_params;

    ## Standard site protection
    include		snippets/standard.conf;

    location ~ /\.well-known {
        auth_basic off;
        root /etc/letsencrypt;
        allow all;

    ## Deny illegal Host headers
    if ($host !~* ^(redacted.com|redacted.com)$ ) {
        return 444;

    ## Drupal configuration
    include snippets/drupal7-php7.4.conf;

    ## php handling
    include snippets/php7.4.conf;

By the way we can see HTTP 200 codes in nginx logs for acme files during the certbot renewal.

I think you’d get better help from an nginx or let’s encrypt forum. This isn’t really a Discourse question.