Locally hosted server, no hairpinning, .tk TLD - lots of fun!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I ran this command:
$ sudo certbot
$ sudo certbot -i nginx --dns-cloudflare --dns-cloudflare-credentials
It produced this output:
$ sudo certbot
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Could not find ssl_module; not disabling session tickets.

How would you like to authenticate and install certificates?

1: Apache Web Server plugin (apache)
2: Nginx Web Server plugin (nginx)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

Which names would you like to activate HTTPS for?

1: platformfm.tk

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for platformfm.tk

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
Domain: platformfm.tk
Type: connection
Detail: Fetching http://platformfm.tk/.well-known/acme-challenge/aF4I-mkdYaXZ-eOjw5erwhMoreW2fN5LlCOd3gM1Trw: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

$ curl http://platformfm.tk/.well-known/acme-challenge/aF4I-mkdYaXZ-eOjw5erwhMoreW2fN5LlCOd3gM1Trw
curl: (7) Failed to connect to platformfm.tk port 80: Operation timed out


$ sudo certbot -i nginx --dns-cloudflare --dns-cloudflare-credentials

Fails with:

Encountered CloudFlareAPIError adding TXT record: 1038 You cannot use this API for domains with a .cf, .ga, .gq, .ml, or .tk TLD (top-level domain). To configure the DNS settings for this domain, use the Cloudflare Dashboard.
Error communicating with the Cloudflare API: You cannot use this API for domains with a .cf, .ga, .gq, .ml, or .tk TLD (top-level domain). To configure the DNS settings for this domain, use the Cloudflare Dashboard.

My web server is (include version):
nginx 1.21.1
The operating system my web server runs on is (include version):
MacOS 10.14.6
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.18.0

1 Like

I'm failing to see with what you're requesting help here. The errors speak for themselves if you ask me:

Your host at platformfm.tk is completely unresponsive on usual ports such as port 80, port 443, port 22, port 143 et cetera. If you want a certificate through the http-01 challenge, your website needs to be accessible from the world wide web.

This error also speaks for itself: apparently, CloudFlare does not support their DNS API for the .tk top level domain.

1 Like

router is not smart enough to phone itself and exposing port 80, which i believe the ISP blocks anyways, would open up the router admin page to the public - less than ideal.

Nginx is listening on a different port and being used to proxy requests to an app on a different port again, so i am unable to locate the request even in a tor browser window as it isnt set up as a typical server and port 80/443 is not accesible.

1 Like

I understand the error speaks for itself but for me, this is how i would usually deal with this request. There must be a solution. I assume it would work if i wasnt on a .tk domain. Can anyone offer any assistance as it is my home and i would really like to be able to provide a secure connection. Thanks :slight_smile:

1 Like

I understand the error speaks for itself but for me, this is how would usually resolve this problem.
It is a home router so port 80 is not exposed and a dns challenge was my only other option, hence asking for help.

It is my home so i would really really like to be able to provide a secure connection for myself and connected clients! There must be a solution.

1 Like

not sure if is of any help but i did manage to get cloudflare certificates and specify those in the config and rewrite to 443, but the content doesnt live there so i reverted. my thinking is maybe it should be possible over 443? if it worked previously, i can understand why my isp is blocking 80 but should be no need to block 443...

1 Like

Welcome to the Let's Encrypt Community, Charlie :slightly_smiling_face:

You can still use a manual DNS-01 challenge:

sudo certbot -a manual --preferred-challenges dns -d "platformfm.tk,www.platformfm.tk" -i nginx

You'll want to change the port of the generated server block from 443 to whatever you use.


Do you control any other non .tk domain?
Or any domain who uses an API you can update?
If so, you could CNAME the challenges there and deal with this outside of the .tk constraints.


Wow! I have actually used that in the past to get wildcard certificates, completely mistaking that for the dns challenge i was trying here!

Thanks so much! :smiley:

I will try now and report back.


The downside to --manual is the lack of automation :frowning:

1 Like

Not currently, but I didn't know this was possible either, great shout! thanks. Im sure this will be a failsafe :slight_smile:

With regards to automation, this is not such a bother for me at such a small scale and there is no SLA in place to define availability, more just educational and exploration i guess. If i were to need to remain online/up i would no doubt shift to the cloud.


For wildcard:

sudo certbot -a manual --preferred-challenges dns -d "platformfm.tk,*.platformfm.tk" -i nginx

Don't forget to create both TXT records for _acme-challenge.platformfm.tk.

The nginx installation for the wildcard (say for www) can be a bit goofy, so you'll want to double-check certbot's work.

You could look to automate this with acme-dns:

The delegation for acme-dns of the dns-01 challenge to another (sub)domain via a CNAME record could double as a mechanism for @rg305's suggestion.


Does your ISP allow port 53 (DNS)?
If so, you could run your own DNS locally to pass the validation.

Yeah, what he said! - LOL


Hey griffin,

Your first response worked a charm!

I had used it previously with ansible/apache and it was quite a long command -
(sudo certbot certonly --manual -d *.{{ domain }} -d {{ domain }} --agree-tos --no-bootstrap --manual-public-ip-logging-ok --expand --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory),
and must've just slipped my mind.

Thank you very much, I'm off to play with nginx now!



Have fun!




This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.