I get errors generating a certificate for my EC2 server linux Ubuntu 16.04 and Node app

Please fill out the fields below so we can help you better.

My domain is:


I ran this command:

sudo certbot certonly --standalone -d motivatincentivos.com -d www.motivatincentivos.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for motivatincentivos.com
tls-sni-01 challenge for www.motivatincentivos.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.motivatincentivos.com (tls-sni-01): urn:acme:error:connection :: The s erver could not connect to the client to verify the

domain :: Timeout, motivatincentivos.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout


  • The following errors were reported by the server:

    Domain: www.motivatincentivos.com
    Type: connection
    Detail: Timeout

    Domain: motivatincentivos.com
    Type: connection
    Detail: Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):

I have no a web server installed. The web server is part of my Node app.
My app listens for protolol HTTP + IP server + port 3000. Example: http://xxx.xxx.xxx:3000
Godaddy is my domain provider.

The operating system my web server runs on is (include version):

Linux Ubuntu 16.04.2 LTS

My hosting provider, if applicable, is:

VPS and EC2 - Amazon AWS

I can login to a root shell on my machine (yes or no, or I don’t know):

Login with a user with administrator capabilities.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I am using Putty from Windows 7
A SSH connection with a IP and a key

Thanks in advance or your attention.

Carlos Alberto Urrea A.

You likely need to update your AWS security group (and possibly server firewall) to allow inbound connections on port 80/443 for Let’s Encrypt to connect. The tls-sni-01 challenge uses port 443, and with the standalone plugin Certbot will start its own temporary server to service the necessary requests.

Hi Jaded, Thanks for your reply,

The security group includes ports 80, 443 and are open to all users.

Hi @carlosa.urrea,

Apart from what @jared.m comments, keep in mind that this command:

sudo certbot certonly --standalone -d motivatincentivos.com -d www.motivatincentivos.com

Will start a web server on port 443 to serve the challenge and validate your domains so Let’s Encrypt will try to connect directly to motivatincentivos.com on port 443 but right now, the web server is a Microsoft IIS that is serving a page with a frame loading your content from other ip`on port 3000.

$ curl -ikL http://www.motivatincentivos.com/
HTTP/1.1 200 OK
Cache-Control: max-age=900
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Tue, 29 Aug 2017 21:49:22 GMT
Content-Length: 371
Age: 1
Connection: keep-alive



<frameset rows="100%,*" border="0">
  <frame src="" frameborder="0" />
  <frame frameborder="0" noresize />

<!-- pageok -->
<!-- 12 -->
<!-- -->

In this case, you won’t be able to issue a certificate for your domain if Let’s Encrypt can’t reach your server.

Why is the reason for that frame instead of pointing your domain to your real server?, there is no need to use that ugly frame redirection.


This is a image from Security Group:

I’m sorry but I do not understand what I should do.
I understand that port 443 is available for the https protocol and just for that I need the certificates.
At the moment the App runs listening to the port 3000 because so I have it programmed inside the server of App Node.js.

What should I do then?

Hi Sahsanu,

Thanks for your reply.

This is the code of the NodeJs App that handles the Application Server. That’s all code.

// Defines the port to run on
app.set(‘port’, process.env.PORT || 3000);

app.listen(app.get(‘port’), function(){
console.log(‘Express started on http://localhost:’ +
app.get(‘port’) + ‘; press Ctrl-C to terminate’);

Best regards,

Carlos Alberto Urrea A.


As I said, your domain motivatincentivos.com points to ip and the content on port 80 is being served by the web server Microsoft IIS. The only content that is served is an html with an iframe pointing to your AWS server on port 3000.

When you run certbot using standalone, it will start a web server on port 443 to serve the challenge to validate your domain. And this web server is available on your AWS server ( but there is no way to reach it on port 443 using your domain name because it points to another server ( and this server is not redirecting the requests to your real server.

I don’t know how do you need/want to implement your site and don’t know the reason to use a frame “redirection” for your domain but the fast way to solve your issue is to change the DNS A record for your domain motivatincentivos.com and point it to your real server instead of

Time to sleep here.

Good luck.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.