# Post Install ACME Falining Fix
This guide walks you through the exact steps to diagnose and fix ACME certificate issues during a Pangolin installation. These steps cover the most common real‑world causes: DNS mismatches, blocked ports, Traefik misconfiguration, and redirect loops. Follow the checklist in order—each step rules out a specific failure point so you can quickly identify what’s wrong and get ACME issuing certificates again.
### Troubleshoot Steps
#### Verify DNS is pointing to the correct server
ACME will always fail if DNS points to the wrong IP.
- `A yourdomain.com → `
- `A *.yourdomain.com → `
1. Check your server’s public IP and make sure it matches your DNS records
```bash
curl ifconfig.me
```
#### Test port 80 from outside the server
ACME HTTP‑01 requires port 80 to be reachable publicly.
1. From your laptop or phone:
```bash
curl -I http://yourdomain.com
```
Interpret the result:
- **200 / 301 / 404** → Port 80 is open (good)
- **Timeout** → Firewall or provider is blocking port 80
- **Connection refused** → Traefik is not listening on port 80
#### Check VPS firewall (UFW)
```bash
sudo ufw status
```
```bash
80/tcp ALLOW
443/tcp ALLOW
```
If missing:
```bash
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
```
#### Check hosting provider firewall
For example Hetzner has an external firewall that overrides UFW
1. Go to your VPS dashboard
2. Server → Networking → Firewalls
```bash
TCP 80
TCP 443
```
If port 80 is missing → ACME will fail every time.
#### Confirm Traefik is listening on port 80
1. SSH into server and run following command
Uncomment the redirect after successful redirect
#### Ensure ACME is using HTTP‑01 on the correct entrypoint
In traefik onfig yaml
```yaml
httpChallenge:
entryPoint: web
```
Entrypoints must be:
```yaml
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
```