Cannot create SSL certificate - unauthorized

You can’t use HTTP validation for a hostname that doesn’t exist.

To work around the Cloudflare “Always use SSL”/“Full (strict)” origin certificate issue, you could add the appropriate A/AAAA/CNAME records and temporarily disable Cloudflare’s CDN on the hostname (gray cloud, not orange cloud) so you can validate it and get a certificate.

Edit: Orange cloud + temporarily turning off Always use SSL would also work.

  1. Always use HTTPS is set to OFF

  2. I created an A record with name beta-yegfitness that points the the public IP of my server

  3. On the DNS page of Cloudflare the cloud is Orange

In the crypto tab I have the following origin certificates

*, (2 hosts)

After about 20 minutes I run

sudo certbot certonly --test-cert --webroot -w /opt/marketplace/public/yegfitness -d

The result is:

Failed authorization procedure. (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: dns :: DNS problem: NXDOMAIN looking up A for

beta-yegfitness and yegfitness are two different names.

Edit: If you have origin certificates from Cloudflare, why create Let's Encrypt certificates too?

Edit: That command is using --test-cert, but the staging environment produces certificates that aren't trusted by clients, whether they're browsers or Cloudflare's servers.

Thanks, what a silly error on my part with the wrong names.

i am not sure why things are set p this way. I took over this legacy project from previous devs, and I am not an expert on this stuff. Just trying my best to make it work how it is setup and not cause more problems than I solve!

There is again no ip address ( ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout Name Error yes 1 0 Name Error yes 1 0

So that

doesn't produce the required result.

Use online tools to check such things.

OK I made the fixes as noted, and was able to create a certificate. I then update my sites-available and sites-enabled and restarted nginx.
I turned Always Use HTTPS back to on and made sure the A entry for DNS cloud was orange

After waiting 20 minutes when I navigate to

I get invalid certificate, and when I try

This page ( is currently offline. However, because the site uses Cloudflare’s Always Online™ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version. Always Online™ is powered by Cloudflare | Hide this Alert

Yes, I was making problems with the names the correct domain is mostly works for me. The page loads. Some of the images and such are 404 Not Found errors. returns a Cloudflare invalid origin certificate error.

What certificate is being used on the origin now? How is it configured?

Could you turn off Cloudflare on the subdomain temporarily so we can check it?

Or share your non-Cloudflare - ip address.

Then I can check it - ip + hostname.

1 Like

Your public IP address

hostname: fitchek-server

The hostname is the domain name.

The result -

You have a 90 day - certificate: 
expires in 90 days - 1 entry

But it's the Fake Certificate:

Chain (complete)	
	2	CN=Fake LE Intermediate X1

So create a new certificate, but don't use the test system.

If the certificate is valid, then you should have a Grade I (some content errors), but not a certificate error.

OK I did as you said and re-ran (without test):

sudo certbot certonly --webroot -w /opt/marketplace/public/yegfitness -d

It asked me to keep or renew and replace, so I choose renew and replace

2: Renew & replace the cert (limit ~5 per 7 days)

and the response:

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for

Using the webroot path /opt/marketplace/public/yegfitness for all unmatched domains.

Waiting for verification…

Cleaning up challenges


  • Congratulations! Your certificate and chain have been saved at:


Your key file has been saved at:


Your cert will expire on 2019-06-16. To obtain a new or tweaked

version of this certificate in the future, simply run certbot

again. To non-interactively renew all of your certificates, run

“certbot renew”

Still doesn’t work however, still get invalid SSL certificate

If you use certonly, the certificate isn't installed.

Perhaps the file is replaced. But then you have to reload / restart your webserver.

PS: There

is your new certificate.

So install it and recheck your domain.

Looks like you have fixed the error. Checking your ip + domainname as hostname lists now
expires in 89 days - 1 entry

And the domain has four Cloudflare ip addresses and a big Cloudflare certificate:, OU=PositiveSSL Multi-Domain, 
OU=Domain Control Validated
expires in 87 days

Some missing files ... Grade I.

A post was split to a new topic: How to setup HTTP to HTTPS redirection?

Thanks for all the help, your support has been amazing, I just want to absolutely clear on the next step before i do something wrong (again):

When you say

There ends your post.

So your question is invisible.

Thanks for all the help, your support has been amazing, I just want to absolutely clear on the next step before i do something wrong (again):
When you say:

is your new certificate.

So install it and recheck your domain.

Do you mean that I should run

sudo certbot --webroot -w /opt/marketplace/public/yegfitness -d ?

and then restart nginx?

Note that the site is now working, but I think there might be multiple certificates, so not sure which one is in use



No, the problem is already solved.

See post

Check the result of

There you see: Your internal ip address checked with your domain name as hostname -> the certificate is valid.

That's like a browser connect a website: First, the browser has to find the ip address. Then the browser connects the ip address and sends the domain name as hostname.

So Cloudflare is able to connect your site via https.

And check - then you see your Cloudflare - ip and your Cloudflare certificate.

The first is the internal view, the second is that, what visitors see.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.