Custom Domain - Let’s Encrypt connection timeout on fresh install

[Nemesis]

Hi everyone,

I’ve just completed a fresh install of CloudPanel on a new VPS using a sudo user (not root). I can access the panel just fine via both:

https://<server-ip>:8443/

https://sub.domain.tld:8443/

My DNS A record is configured properly, and the subdomain resolves correctly.
However, when I try to set up a custom domain with Let’s Encrypt, I get the following error:

sub.domain.tld: Domain could not be validated, error message: 
error type: urn:ietf:params:acme:error:connection 
error detail: XX.XX.XX.XX: Fetching https://sub.domain.tld/.well-known/acme-challenge/...: Timeout during connect (likely firewall problem)

I also tried using a Reverse Proxy site and issuing a Let’s Encrypt cert that way, but it fails with the same error.

Ports seem fine (ufw status verbose shows 80 and 443 are open), CloudFlare is in “Full” SSL mode and set to DNS Only, and there’s even an AAAA record pointing to my IPv6.

Is there anything I might be missing that would block HTTP or HTTPS traffic on a fresh system?

Thanks in advance for any help

 

[Rootali]

Thanks for the detailed breakdown — this is a common issue with Let’s Encrypt validation when using CloudFlare or when something silently blocks port 80 access.

Let’s go step-by-step:

1. DNS looks OK​

You confirmed both IP and subdomain resolve — and if you're seeing the panel on sub.domain.tld:8443, DNS is fine.

2. Let’s Encrypt needs HTTP (port 80) access​

Even if everything looks open on UFW, Let’s Encrypt validates via HTTP (port 80) using a standard URL like:

http://sub.domain.tld/.well-known/acme-challenge/abc123

If this returns timeout, then port 80 is either blocked or not routed correctly.

Please test directly:

curl -I http://sub.domain.tld

You should get a 200 or 301 at minimum. If it hangs or times out, port 80 is unreachable externally.

3. Possible causes & solutions​

• CloudFlare proxy enabled?
  Even if you say "DNS Only", triple-check it's a gray cloud in CloudFlare’s DNS panel. If it’s orange, it’ll block the HTTP challenge.
• Contabo or VPS-level firewall?
  Some VPS providers block port 80 by default at the hypervisor level.
  Make sure port 80 is allowed in both:
  • UFW (which you checked )
  • Provider panel (Contabo networking/firewall settings)
• Nothing is serving on port 80
  If Nginx isn’t listening on port 80 (e.g., no default site or vhost), then it won’t respond. Run:
  
  

  sudo ss -tlnp | grep ':80'

  You should see nginx or something bound there. If not, that’s why it’s timing out.

Quick test setup​

Just to validate the port 80 route, create a temporary Nginx site manually like this:

echo "hello world" | sudo tee /home/cloudpanel/htdocs/testsite/public/index.html
# Create vhost
sudo nano /etc/nginx/sites-enabled/99-testsite.conf

Paste:

server {
listen 80;
server_name sub.domain.tld;

root /home/cloudpanel/htdocs/testsite/public;
index index.html;

location / {
try_files $uri $uri/ =404;
}
}

Then:

sudo nginx -t && sudo systemctl reload nginx

Now test:

curl -I http://sub.domain.tld

If that works, Let’s Encrypt will too. Then remove the test site after issuance.

Let me know how that goes — once the certificate is working, you can remove the temporary config and go back to the CloudPanel default setup.