Generate Certificate

I am trying to generate certificate for my web server, but getting authorization error.
I followed the below command

“sudo certbot certonly --standalone --preferred-challenges http -d

Failed authorization procedure, the server could not get connected to the client to verify the domain

OS - centos 7.0

What was the exact and complete output of that command?

  • sudo certbot certonly --standalone --preferred-challenges tls-sni -d


Thanks for the screenshot. The likely problem is that you said --preferred-challenges http, but “http” is not the name of an ACME challenge. The correct form is --preferred-challenges http-01.

Since Certbot didn’t recognize “http” as a challenge type, it automatically reverted to the default “tls-sni-01”, which tried to connect on port 443 instead of port 80, which apparently didn’t work in your environment.


What should be the problem

I even tried with sudo certbot certonly --standalone --preferred- challenges tls-sni-01 -d still getting the issue

I am also trying to renew the certificate for a different server
sudo certbot renew --dry-run and the renewal failed.

For, it looks like there are existing programs listening on both port 80 and port 443 that accept inbound connections but then disconnect immediately. You can find out if there are really any such programs by running a command like

sudo netstat -pant

If you see a :80 [...] LISTEN or :443 [...] LISTEN, that is the responsible program. You would need to temporarily stop that program in order to use --standalone because the port needs to be available in order to obtain the certificate using --standalone.

If you don’t see any such program, then there is some kind of firewall or proxy that restricts inbound connections for this machine, and you’ll need to find and change the firewall or proxy machine’s behavior to allow these inbound connections.

In this case it looks like your webroot is no longer correct. If you used --standalone with this server and then installed a separate webserver afterward, then there is probably a conflict between the standalone authenticator plugin and the new webserver. If you used --webroot, you may have changed something about the web server configuration after you originally obtained the certificate, which made the saved settings no longer correct. Does either of these possibilities seem likely to you?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.