Error Cannot GET /.well-known/

My domain is:

My website is dysfunctional, sometimes it works and sometimes it does not with this error: Error 525 SSL handshake failed.

I just specify, I have other domains on this server, and I have the same problem for those other domain.

Here are some commands and output I run:

1) command: curl -svo /dev/null --connect-to ::my-ip-adress 2>&1 | egrep -v "^{.*$|^}.*$|^* http.*$"


* Connected to my-ip-adress (my-ip-adress) port 443 (#0)
* ALPN, offering h2
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
* stopped the pause stream!
* Closing connection 0

2) command: curl -I https://my-ip-adress

curl: (60) SSL certificate problem: certificate has expired
More details here:

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

3)command: cat /etc/ssl/certs/ca-certificates.crt | openssl x509 -noout -enddate
output: notAfter=Dec 31 09:37:37 2030 GMT

I tried to renew certbot by doing:
command: sudo certbot certonly --nginx -d --dry-run
I got output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from [2606:4700:3033::681b:b925]: "<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot GET /.well-known/"

 - The following errors were reported by the server:

   Type:   unauthorized
   Detail: Invalid response from
   [2606:4700:3033::681b:b925]: "<!DOCTYPE html>\n<html
   GET /.well-known/"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

Configuration in /etc/letsencrypt/renewal:

renew_before_expiry = 30 days
version = 0.26.1
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

Options used in the renewal process
account = a5e0b9652f9ead29418937b7c381b611
authenticator = nginx
installer = nginx
server =

My nginx/sites-available configuration is:

server {
  location / {
    proxy_pass http://localhost:8002;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;

  location /technical {
                proxy_pass http://localhost:8001;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
server {
    if ($host = {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  listen 80;
    return 404; # managed by Certbot

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 18.04.

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

Hi @Dev_mark

your configuration looks buggy - see your last check -

First, you use Cloudflare, so your real configuration is invisible.

Second, there is no active Letsencrypt certificate:

Issuer not before not after Domain names LE-Duplicate next LE
Cloudflare Inc ECC CA-3 2020-06-29 2021-06-30 *,,
3 entries
Let's Encrypt Authority X3 2020-05-25 2020-08-23
1 entries
Let's Encrypt Authority X3 2020-03-25 2020-06-23
1 entries
Let's Encrypt Authority X3 2020-01-25 2020-04-24
1 entries

So I would expect that error 525 always, not only sometimes.

Third, Cloudflare redirects http to https, so you can't use the nginx authenticator, that's expected. Use the webroot authenticator and the webroot of your https.

What's your real ip address? Test that ip address via "check-your-website" and add the domain name to the hostname - field.

So you mean it is a bug that I actualy see an expired date which is not expired?

is it possible the configuration I have is for an old certificate which is not working anymore?
Should I remove it and his configuration and set up a new one for the beggining?

Can you tell me more about webroot? I am really new in server coding and espacially with this ssl thing

Thank you for your help

I hope you aren't referring to this:

Dec 31, 2030?
What does that output have to do with your problem?
[trying to issue/renew cert through CloudFlare]

Since you use Cloudflare, there's one HTTPS connection between the browser and Cloudflare's proxy, using Cloudflare's own automatically-issued certificates. Then there's an additional HTTPS connection between Cloudflare's proxy and your back-end (origin) server. This connection may use a Let's Encrypt certificate.

One part of what @JuergenAuer is pointing out is that it's hard to test technical details of your origin server without knowing its IP address. If we try to do tests against, we're just testing Cloudflare's proxy server—which is working just fine!

It may be possible to debug this by looking at more log files from your server when you try to run sudo certbot renew. (These log files end up in /var/log/letsencrypt.)

Two other things:

(1) Since your only use of the Let's Encrypt certificate is to protect the connection between Cloudflare and your origin server, you could consider using the Cloudflare Origin CA instead of Let's Encrypt—if you intend to continue using Cloudflare.

(2) As @rg305 indicated, the openssl command you ran doesn't show anything particularly relevant. First, the expiration date there is in 2030, not 2020—still a decade away. Second, ca-certificates.crt contains public certificates belonging to certificate authorities (not to your site). Your Let's Encrypt certificate is instead visible in /etc/letsencrypt/live or by running sudo certbot certificates. Third, since there are many different certificates in the ca-certificates.crt, the command you ran just showed the information about the first one: in this case a root certificate belonging to the Spanish Agencia de Tecnología y Certificación Electrónica (

    Issuer: CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES
        Not Before: May  5 09:37:37 2011 GMT
        Not After : Dec 31 09:37:37 2030 GMT

which probably comes first in that file only because the name of the certificate authority is alphabetically first. :slight_smile:

1 Like

Thank you all for your helpful responses. I understand better now.

@schoen, here is my ip address:, so you could make some test.

I understand I need a certificate for the connection between Cloudflare's proxy and my back-end server. And for this I can use Let's Encrypt or Cloudflare origin CA. If the case I want to use Let's encrypt how should I do? Because for the moment certbot is install on my server but I can not run certbot renew.
Please help me, I would really appreciate if you could give me some guide lines, I am kind of lost and stucked in this problem. Thank you

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.