Certbot: Connection refused during ACME challenge

Diagnose and fix Certbot ACME challenge failures when Let's Encrypt receives 'Connection refused' connecting to port 80.

What Causes This Error
How to Fix
Related Certbot Errors

Certbot fails with a connection error during the ACME HTTP-01 challenge when Let's Encrypt's validation servers cannot establish a TCP connection to port 80 on the target server.

What Causes This Error

The web server ( Nginxor Apache) is not running or not listening on port 80. UFWor a cloud security group blocks inbound port 80. The server has IPv6 enabled but the web server only listens on IPv4, and Let's Encrypt connects via IPv6.

How to Fix

Verify Nginx or Apache is running and listening on port 80:

ss -tlnp | grep :80

Allow port 80 through the firewall:

sudo ufw allow 80/tcp

Ensure the web server listens on all interfaces (both IPv4 and IPv6), not just 127.0.0.1.

Related Certbot Errors

Certbot: Some challenges have failed— the broader error that encompasses this connection issue.