Problem adding SSL to subdomain

My domain is:

I ran this command: certbot --expand -d,

It produced this output:

 - The following errors were reported by the server:

   Type:   tls
   Detail: remote error: tls: handshake failure

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   you have an up-to-date TLS configuration that allows the server to
   communicate with the Certbot client.

My web server is: Nginx

OS: Debian 9

My hosting provider, if applicable, is: OVH

Im also runing with CloudFlare, the DNS:

All of the pointing to the same IP.

Hi @SrPeter

Cloudflare throws an error:

This page ( is currently offline. However, because the site uses Cloudflare's Always Online™ technology you can continue to surf a snapshot of the site. We will keep checking in the background and, as soon as the site comes back, you will automatically be served the live version. Always Online™ is powered by Cloudflare | [Hide this Alert](javascript:void(null):wink:

Letsencrypt checks the http - version.

Perhaps use --manual and the dns-validation, create the dns entry manual to get your first certificate.

TLS-SNI-01 validation can't be used through Cloudflare's reverse proxy. (TLS-SNI-01 is also deprecated for other reasons.)

You can add "--preferred-challenges http-01" to use HTTP-01 validation.

However, stretch has an older version of Certbot (0.10.2), and that will probably fail.

However however, stretch-backports has a quite recent version of Certbot. You should probably enable it and upgrade Certbot.

Additionally, stretch-backports includes Certbot's Cloudflare DNS plugin in the python3-certbot-dns-cloudflare package, if you want to try it.


Additionally additionally, for Cloudflare proxied domains, you might want to skip Certbot and Let's Encrypt and uses Cloudflare's Origin CA. (It issues certificates that are trusted by Cloudflare's CDN servers but not by browsers.)


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.