Failed to connect to or TLS-SNI-01 challenge

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:
./certbot-auto certonly --standalone --email -d

It produced this output:
Type: connection
Detail: Failed to connect to for TLS-SNI-01

My operating system is (include version):
My web server is (include version):
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

So, I’m a bit confused about how letsencrypt can try to verify a domain using port 443 when I’m trying to create a certificate for that domain that would allow it to run on port 443. Port 80 is working fine.

Is there another way to validate a domain?

You can validate a domain using the existing web server on port 80 ( or 443)

You could also validate a domain using a DNS challenge ( although the official certbot doesn’t support that currently, but a number of the alternate clients do).

To use certbot in standalong mode, you need to turn off any current web pages. You also need to ensure that no firewall is blocking access.

Double-check the security groups applied to the EC2 instance you’re running your web server on. You may need to allow HTTPS explicitly.

You can validate a domain using the existing web server on port 80 ( or 443)

Is there something I have to do special to make it use 80? I’ve read what you’ve said, but I haven’t seen a way to make it happen.

The script returns Failed to connect to for TLS-SNI-01

I can curl to the domain on port 80 as well as use the browser to connect to the site, so I’m not sure why it’s stuck on using SSL.


Take a look at the documentation for --standalone:

This plugin needs to bind to port 80 or 443 in order to perform domain validation, so you may need to stop your existing webserver. To control which port the plugin uses, include one of the options shown below on the command line.

  • --standalone-supported-challenges http-01 to use port 80
  • --standalone-supported-challenges tls-sni-01 to use port 443

Great. Thanks! That was part of the magic. Since I was on a different machine I had to use --manual and create the file in the proper place. But it eventually worked. Appreciate it!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.