Detail: Error getting validation data

Hi I have been trying to get this to work for hours now I am getting the following issue. Any help would be greatly appreciated.

Enabled Apache ssl module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data

I have tried setting my server in the DMZ. I have tried stopping apache.

Can someone please tell me the minimum entries you need to have in your DNS records?
I have one www A Name record which points back to my ip address
I also have entries which point to my MX server.
I then have a CNAME record which points to my DDNS.

I know I have my virtual host configured correctly as going to the different domains causes the different websites to load their proper content to load. I am really at a loss as to what to do…

I do have another certificate for my DDNS but that is for another application I am running outside of apache2.

Ubuntu 16.04 LTS
Running virtual hosts

Anyone know how to fix this?

No - as this may not be the cause of your issues and there is not such thing as how many records do I need. You should know and design your DNS around what you require not as an attempt to “fix” a problem

I would suggest that you follow the steps outlined when you create help request

the ones about I ran this command etc

Anyone know how to fix this?

Maybe, maybe not but Until we have tangible information to begin investigation we won’t know :smiley:

I sense you are frustrated but following a calm methodical approach will serve you much better than not following it and trying to “solve” the problem


Hi @BarkPilot,

Can you share the affected domain name? Are you using Certbot as an ACME client?

the affected domain name is Yes I am using Certbot as an ACME client. Following the directions that were outlined here.

Hi @BarkPilot

You domain has port 443 open however there is no certificate configured on it so TLS connections cannot be made. So the challenge you are facing is nothing to do with your DNS records but in fact to do with you web server configuration.

The way the TLS-SNI challenge works is that it connects to you server on port 443 if it cannot make the connection (and it can't) then the challenge fails. You have port 80 open so can use the HTTP-01 Challenge or you can use the standalone webserver.

So to fix it you have 3 options

A) Fix current apache configuration to have a self signed certificate (which will be replaced later) for your domain
B) Use -webroot instead
C) Use standalone instead but you will need to shut down the apache server while you obtain the certificate

Manual: User Guide — Certbot 1.21.0 documentation


I think this is misleading. Certbot is able to create a temporary HTTPS virtual host for Apache configurations that don’t already have one. You don’t actually need Apache to be listening on port 443 already in order to use certbot --apache.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.