Introduction

An SSL certificate renewal can fail even though HTTPS on port 443 still works for visitors. The usual reason is that the certificate authority needs to complete HTTP validation on port 80, but a firewall, load balancer, or proxy blocks that path. The fix is to make the ACME challenge reachable again without breaking your normal redirect or HTTPS policy.

Symptoms

  • Automatic certificate renewal keeps failing even though the site still loads over HTTPS
  • Renewal logs mention HTTP-01 validation, timeout, or connection refused errors
  • Port 443 responds normally, but port 80 does not answer correctly
  • The issue started after a firewall change, proxy change, or web server hardening update
  • Certificate expiry is approaching even though renewals used to succeed

Common Causes

  • Port 80 is closed at the server firewall, cloud firewall, or hosting control panel
  • A reverse proxy or load balancer is not forwarding the ACME challenge request to the origin
  • A broad redirect rule breaks access to /.well-known/acme-challenge/
  • The validation request lands on the wrong virtual host or backend
  • Security tooling blocks the certificate authority probe as suspicious traffic

Step-by-Step Fix

  1. Review the renewal logs so you know whether the failure is a timeout, connection refusal, wrong response body, or redirect problem.
  2. Test the site on port 80 directly and confirm the server accepts plain HTTP requests instead of dropping them entirely.
  3. Check server firewalls, security groups, host panel rules, and provider edge controls to make sure port 80 is open where needed.
  4. Verify that /.well-known/acme-challenge/ reaches the intended web server or ACME client rather than a different backend.
  5. Inspect redirect rules so HTTP still upgrades to HTTPS normally without breaking the challenge path required for validation.
  6. If a CDN or proxy sits in front of the site, confirm it forwards the validation request correctly and is not caching or rewriting the token response.
  7. Review web server virtual host mappings to make sure the challenged hostname serves the right site on both port 80 and port 443.
  8. Run the renewal again after fixing access and confirm the new certificate installs successfully before the old one expires.
  9. Keep renewal monitoring and expiry alerts active so a blocked validation path is caught well before the next certificate deadline.