Issuance of a certificate for 3CX IP PBX servers


Please fill out the fields below so we can help you better.

My domain is:

I ran this command: ./certbot-auto certonly --standalone -TLS-SNI-01-PORT 5001 -http-01-port 5000 -d

It produced this output:USAGE CERTBOT-AUTO [SUBCOMMAND] [options] [-d domain] …

My operating system is (include version): ubuntu server 15.04

My web server is (include version):windows server on hosting in directnic but is located on my location in la paz bolivia, i only applying to my ip pbx 3cx

My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


I make run a new command
./certbot-auto certonly --standalone --tls-sni-01-port 5001 --http-01-port 5000 -d

message: Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to for tls-sni-01

Important notes

  • The following errors were reported by the server:
    Detail: Failed to connect to for TLS-SNI-01 Challenge


letsencrypt needs to validate your domain using port 80 or 443 (or a DNS challenge ) … is your domain available on port 80/443 ?


actually my server doesn’t use those ports but i enabled it in my firewall to let pass


For the TLS-SNI challenge, port 443 on your server must be open to the Internet. For the HTTP challenge, port 80 must be open. The parameters you’ve found let you specify the port that certbot will listen on (so, for example, you could have a port forwarded from 443 on the outside to 5001 internally), but as far as the Internet-facing side of your system is concerned, you must have either port 80 or 443 open.

If that is not possible, consider the DNS-01 challenge with one of the alternate clients–certbot doesn’t support it currently, but many of the alternate clients (like and do.


you should be able to use the standalone mode on port 443 then

./certbot-auto certonly --standalone --standalone-supported-challenges tls-sni-01 -d

alternatively, as @danb35 says all the Bash alternate clients (including the one I wrote - getssl … not just the two danb35 mentions :wink: ) support the DNS challenge


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.