How do I deal with "Some challenges have failed" in certbot?

I am trying to request a TLS certificate using Certbot (source: https://certbot.eff.org/instructions) with sudo certbot --nginx. It is supposed to be for a docker registry used as a pull through cache (https://docs.docker.com/registry/recipes/mirror/).

This is the log output, searched for the keyword "error" (cat /var/log/letsencrypt/letsencrypt.log | grep -I error --context=12 -in):

199-    ##
200-    # SSL Settings
201-    ##
202-
203-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
204-    ssl_prefer_server_ciphers on;
205-
206-    ##
207-    # Logging Settings
208-    ##
209-
210-    access_log /var/log/nginx/access.log;
211:    error_log /var/log/nginx/error.log;
212-
213-    ##
214-    # Gzip Settings
215-    ##
216-
217-    gzip on;
218-
219-    # gzip_vary on;
220-    # gzip_proxied any;
221-    # gzip_comp_level 6;
222-    # gzip_buffers 16 8k;
223-    # gzip_http_version 1.1;
--
615-
616-{
617-  "identifier": {
618-    "type": "dns",
619-    "value": "my.subdomain.com"
620-  },
621-  "status": "invalid",
622-  "expires": "2022-10-28T08:43:11Z",
623-  "challenges": [
624-    {
625-      "type": "http-01",
626-      "status": "invalid",
627:      "error": {
628:        "type": "urn:ietf:params:acme:error:connection",
629-        "detail": "ser.ver.ip.add: Fetching http://my.subdomain.com/.well-known/acme-challenge/hHUWDkKoQhke4YWRQJ7P9UoXCb8DV12gZq8Yjdw3YNo: Timeout during connect (likely firewall problem)",
630-        "status": 400
631-      },
632-      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/167006252436/sNVb5g",
633-      "token": "hHUWDkKoQhke4YWRQJ7P9UoXCb8DV12gZq8Yjdw3YNo",
634-      "validationRecord": [
635-        {
636-          "url": "http://my.subdomain.com/.well-known/acme-challenge/hHUWDkKoQhke4YWRQJ7P9UoXCb8DV12gZq8Yjdw3YNo",
637-          "hostname": "my.subdomain.com",
638-          "port": "80",
639-          "addressesResolved": [
640-            "ser.ver.ip.add"
--
648-}
649-2022-10-21 08:43:23,431:DEBUG:acme.client:Storing nonce: 327C_YtRNQL-hZbLzBTyyGyExuukFDBjXHKXyNmZl0m8R70
650-2022-10-21 08:43:23,431:INFO:certbot._internal.auth_handler:Challenge failed for domain my.subdomain.com
651-2022-10-21 08:43:23,431:INFO:certbot._internal.auth_handler:http-01 challenge for my.subdomain.com
652-2022-10-21 08:43:23,431:DEBUG:certbot._internal.display.obj:Notifying user: 
653-Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
654-  Domain: my.subdomain.com
655-  Type:   connection
656-  Detail: ser.ver.ip.add: Fetching http://my.subdomain.com/.well-known/acme-challenge/hHUWDkKoQhke4YWRQJ7P9UoXCb8DV12gZq8Yjdw3YNo: Timeout during connect (likely firewall problem)
657-
658-Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
659-
660:2022-10-21 08:43:23,432:DEBUG:certbot._internal.error_handler:Encountered exception:
661-Traceback (most recent call last):
662-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
663-    self._poll_authorizations(authzrs, max_retries, best_effort)
664-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
665:    raise errors.AuthorizationError('Some challenges have failed.')
666:certbot.errors.AuthorizationError: Some challenges have failed.
667-
668:2022-10-21 08:43:23,432:DEBUG:certbot._internal.error_handler:Calling registered functions
669-2022-10-21 08:43:23,432:INFO:certbot._internal.auth_handler:Cleaning up challenges
670-2022-10-21 08:43:24,507:DEBUG:certbot._internal.log:Exiting abnormally:
671-Traceback (most recent call last):
672-  File "/snap/certbot/2414/bin/certbot", line 8, in <module>
673-    sys.exit(main())
674-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/main.py", line 19, in main
675-    return internal_main.main(cli_args)
676-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
677-    return config.func(config, plugins)
678-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/main.py", line 1441, in run
679-    new_lineage = _get_and_save_cert(le_client, config, domains,
680-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
681-    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
682-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate
683-    cert, chain, key, _ = self.obtain_certificate(domains)
684-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
685-    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
686-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
687-    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
688-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
689-    self._poll_authorizations(authzrs, max_retries, best_effort)
690-  File "/snap/certbot/2414/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
691:    raise errors.AuthorizationError('Some challenges have failed.')
692:certbot.errors.AuthorizationError: Some challenges have failed.
693:2022-10-21 08:43:24,508:ERROR:certbot._internal.log:Some challenges have failed.

It says likely firewall problem in line 629, but the output of sudo ufw status is

Status: active

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
22                         ALLOW       ser.ver.ip.add            
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)            

Lines 662 to 666 and 686 to 692 hint to some authorization issues, though I do not know whether these are related to some authentication I am supposed to provide, or some issue on the side of the certificate server.

This is the output of netstat -tulnp:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      80509/nginx: master 
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      724/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      797/sshd: /usr/sbin 
tcp6       0      0 :::80                   :::*                    LISTEN      80509/nginx: master 
tcp6       0      0 :::22                   :::*                    LISTEN      797/sshd: /usr/sbin 
udp        0      0 127.0.0.53:53           0.0.0.0:*                           724/systemd-resolve 
udp        0      0 ser.ver.ip.add:68       0.0.0.0:*                           722/systemd-network 

Do I possibly have to run the docker image registry:2 first? Is there some nginx authentication that has to be done first? Do I have to run certbot from within the docker container?