Pritunl letsencrypt Setup


Hello Guys,

I am trying to setup a vpn server to use letsencrypt cerificate but for the past week I have been stuck at this error and all that I do does not seem to go down well with the host.
below is a the redacted error from the logs when I trying doing cert request from the web interface of pritunl…

[snowy-thunder-3422][2019-03-12 15:36:19,990][INFO] Parsing account key…
[snowy-thunder-3422][2019-03-12 15:36:20,020][INFO] Parsing CSR…
[snowy-thunder-3422][2019-03-12 15:36:20,056][INFO] Found domains: domain.local
[snowy-thunder-3422][2019-03-12 15:36:20,056][INFO] Getting directory…
[snowy-thunder-3422][2019-03-12 15:36:21,084][INFO] Directory found!
[snowy-thunder-3422][2019-03-12 15:36:21,084][INFO] Registering account…
[snowy-thunder-3422][2019-03-12 15:36:22,829][INFO] Registered!
[snowy-thunder-3422][2019-03-12 15:36:22,830][INFO] Creating new order…
[snowy-thunder-3422][2019-03-12 15:36:24,776][INFO] Order created!
[snowy-thunder-3422][2019-03-12 15:36:25,687][INFO] Verifying domain.local…
[snowy-thunder-3422][2019-03-12 15:37:57,337][ERROR] Failed to get LetsEncrypt cert
Traceback (most recent call last):
File “/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/handlers/”, line 856, in settings_put
File “/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/”, line 68, in update_acme_cert
cert = get_acme_cert(, csr)
File “/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/”, line 43, in get_acme_cert
File “/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/”, line 138, in get_crt
raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))
ValueError: Challenge did not pass for domain.local: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://domain.local/.well-known/acme-challenge/PUNVmkpP9IUHd2oN0b5D39JJNwAZ69ZaSlDixzCSe_0’, u’hostname’: u’domain.local’, u’addressUsed’: u’public_ip’, u’port’: u’80’, u’addressesResolved’: [u’public_ip’]}], u’url’: u’’, u’token’: u’PUNVmkpP9IUHd2oN0b5D39JJNwAZ69ZaSlDixzCSe_0’, u’error’: {u’status’: 400, u’type’: u’urn:ietf:params:acme:error:connection’, u’detail’: u’Fetching http://domain.local/.well-known/acme-challenge/PUNVmkpP9IUHd2oN0b5D39JJNwAZ69ZaSlDixzCSe_0: Timeout after connect (your server may be slow or overloaded)’}, u’type’: u’http-01’}, {u’status’: u’invalid’, u’url’: u’’, u’token’: u’x3gr_BsiFAAJIat9OG1hO4JyRwpYwy3ZlloOC1YmqLQ’, u’type’: u’tls-alpn-01’}, {u’status’: u’invalid’, u’url’: u’’, u’token’: u’jpCIUI1nCxc6-Pmv3kaWSjXAPmYdRVV6ujdwm-FKwZU’, u’type’: u’dns-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’domain.local’}, u’expires’: u’2019-03-19T19:36:24Z’}
acme_domain = “domain.local”

Any help is warmly welcomed


Hi @iyushaw

what’s your domain name?

You can’t get a public trusted certificate with a private domain name (*.local).

You need a worldwide unique domain name to create a certificate with that domain name.


I was trying to protect the identity of the server but thats not the actual ip and domain name.
lets say the domain name is and the ip is for example.

I have changed the default port that when you install pritunl it comes with to some ephemeral port and I appear to be able to reach it from public internet. Hence it means am not able to reach port 80 which the challenge is depending on for response from my host.

That brings me to the question is there a way to make the challenge use a different port to contact my server other than the default port 80 which for some unknown reason its being blocked.

Kind regards


Nope, please see

closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.