Cannot Create SSL Certificate for AWS Address

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: (points to EC2 instance on AWS)

I ran this command:

sudo certbot certonly --webroot -w /opt/marketplace/public/wellness -d

It produced this output:

Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from [2606:4700:30::681f:429d]: "\n\n<!–[if IE 7]> <html class="no-js "


My web server is (include version):

nginx version: nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):

No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:

Cloudflare (CNAME record), AWS hosts the code

I can login to a root shell on my machine (yes or no, or I don’t know):


I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0

Hi @Nate14

there is already a check of the wellness - subdomain ( ).

There you see the problem:

Your ip addresses - looks like Cloudflare.

Host T IP-Address is auth. ∑ Queries ∑ Timeout A yes 1 0
A yes 1 0
AAAA 2606:4700:30::681f:429d yes
AAAA 2606:4700:30::681f:439d yes Name Error yes 1 0

And one output checking /.well-known/acme-challenge/unknown-filename:

Visible Content: Error 526 Ray ID: 4c45dec61e9f2d5f &bull; 2019-04-08 17:13:09 UTC Invalid SSL certificate You Browser Working Berlin Cloudflare Working Host Error What happened? The origin web server does not have a valid SSL certificate. What can I do? If you're a visitor of this website: Please try again in a few minutes. If you're the owner of this website: The SSL certificate presented by the server did not pass validation. This could indicate an expired SSL certificate or a certificate that does not include the requested domain name. Please contact your hosting provider to ensure that an up-to-date and valid SSL certificate issued by a Certificate Authority is configured for this domain name on the origin server. Additional troubleshooting information here. Cloudflare Ray ID: 4c45dec61e9f2d5f &bull; Your IP : 2a01:238:301b::1229 &bull; Performance &amp; security by Cloudflare

You use Cloudflare. But then a working certificate is required. But Cloudflare produces a lot of 526 errors

Origin SSL Certificate Error

So the current certificate of your server is invalid.


  • use the integrated solution of Cloudflare (or)
  • deactivate Cloudflare, so your A record points to your own ip address, then create a certificate, then activate Cloudflare again

But you can't renew a not working certificate via Cloudflare + http-01 validation.

Or use dns-01 validation (manual) to create one certificate.

1 Like

You should be okay if you just exclude /.well-known/acme-challenge/ from the redirect to HTTPS in your Nginx configuration.


location / {
    return 301 https://$host$request_uri;
location /.well-known/acme-challenge/ {
    # other stuff, or nothing at all

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.