Can someone help me with Syntax on dns challenge?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot certonly --manual --preferred-challenges=dns --email --server --agree-tos -d -d *

It produced this output: Everything appeared to work as expected

My web server is (include version): Nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Hosted on bare metal server sitting in my other room (Esxi/Ubuntu VM)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 0.40.0

Hello, can someone please help me with this? I'm hosting a website from my house, I'm just trying to learn what I can on a homelab I just put together and I'm trying to figure out SSL now. I followed this guide:

When I try to go to my site, it gives an error saying invalid SSL. I'm assuming a butchered the syntax? I use Cloudflare for DNS

I don't understand the syntax. The legend says --server: Specify the endpoint to use to generate

What does that mean? Do I enter --server there? Or do I put my website in place of --server? Or do I put --server and then my website?

I put my website for -d as in the example because I intend to use it as a wildcard.

Here is a screenshot of information from the certificate on the site.

I can't share image because new users are limited to one embedded image

Is common name correct there? Subject Alt Names; does that look wrong?

Cloudflare has a CDN so your site is cached and it hides your real IP. You can turn this on and off. When it is on, it gives the invalid SSL error. When it is off behaves differently depending on the browser you use.

On Firefox it gives a security warning and says "SEC_ERROR_UNKNOWN_ISSUER" and if you click "View Certificate" it shows this:

I can't share image because new users are limited to one embedded image

If I click accept and attempt to go to the site it says "Secure connection failed an error occurred during a connection to" (What logs would I log through to find what this error is because it's not referenced)

If I use Chrome it just times out with the error ERR_CONNECTION_TIMED_OUT

I am completely lost. Is this being caused by me screwing up the SSL syntax on a command line? Is this caused by my DNS provider? Or is it my server itself? What logs do I look through? I would like to know where the logs are that show the server response so I can see if the request is even hitting my server.

I also have a Kemp Load Balancer on the server. Kemp is run in it's own VM. SSL works on that, so I know that connections can come in and it works with plex and the very same ecommerce site I am attempting to install. I followed this tutorial to get that working:

But I chose a terrible Domain name to test it out. Kemp also has a limit on how much bandwidth can pass through on the free version and upgrading costs a fortune because they're only interested in catering to enterprise. So I was going to attempt to use nginx as a reverse proxy to replace kemp, but that nightmare is for another day. On DNS the both domains point to my IP address. Will this cause issues? I turned off kemp so it wouldn't answer any requests and it doesn't appear to change anything. Of course the sites kemp was controlling don't respond as expected, but I don't understand enough about networking to know if different url's pointing to the same IP when there is a reverse proxy already sitting on there would make a difference.

I would like to work in IT eventually but I have to believe that if I get stuck on something like this, maybe I shouldn't even bother. Isn't this a realatively easy part of it? If my ISP didn't block port 80 (For my protection.. yeah right), would this all be smooth as silk?

What makes this so difficult is that so much runs on linux so I'm having to learn that os at the same time and this has made it a nightmare. I have a suspicion I did something wrong here: I couldn't figure out how to copy and paste between programs and the terminal, I had a bunch of problems with hidden files and permissions so I chmod 777 a lot of stuff just trying to figure out how to see stuff. I ended up having to email the cert files and everything over to my windows machine just to be able to enter info. This waste of time took several hours and it was simply because copy and paste was different than on windows, as frustration grew it got harder to remain focused.

Once I figure this out, I'm going to reproduce the steps several times on new VMs so I know what the hell I'm doing. My test system obviously has security issues with file permissions and stuff, but none of that matters when it appears the server isn't even responding.

PS: You should give new users the ability to embed more images, 1 is to low a number.

Welcome to the community @falken

That's a lot of questions and many not related to Let's Encrypt certs. I'll focus on the basic cert items:

One, you got the cert just fine. You can see them in the public crt log using a Cert Search tool like this one

Two, people from the public internet cannot reach your site on port 443. That port is blocked (filtered). You say your ISP blocks port 80 so that may be why that shows blocked. But, check your firewall and load balancer and such for why port 443 is blocked. Here is output of a port test

nmap -p80,443,5000,5001 -Pn
rDNS record for
80/tcp   filtered http
443/tcp  filtered https
5000/tcp open     upnp
5001/tcp open     commplex-link

I can only guess your Firefox test worked because you tried it from your local network. If you must, use a cell phone with wifi disabled so it uses the public internet.


That error indicates that you aren't using the Let's Encrypt cert in, well, whatever server software you're connecting to. Since you ran certbot in certonly mode, it only got a cert for you--it's up to you to configure whatever software you're using to use that cert.

A second common issue on the LAN is that you'll be using IP addresses rather than FQDNs to connect to resources. The cert you got will give an error with that, as the cert certifies your domain name, not the IP address. But that isn't the problem you're seeing right now.


Love Network Chuck!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.