- The following errors were reported by the server:
Detail: remote error: tls: handshake failure
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
you have an up-to-date TLS configuration that allows the server to
communicate with the Certbot client.
Letsencrypt checks the http - version.
Perhaps use --manual and the dns-validation, create the dns entry manual to get your first certificate.
TLS-SNI-01 validation can't be used through Cloudflare's reverse proxy. (TLS-SNI-01 is also deprecated for other reasons.)
You can add "--preferred-challenges http-01" to use HTTP-01 validation.
However, stretch has an older version of Certbot (0.10.2), and that will probably fail.
However however, stretch-backports has a quite recent version of Certbot. You should probably enable it and upgrade Certbot.
Additionally, stretch-backports includes Certbot's Cloudflare DNS plugin in the python3-certbot-dns-cloudflare package, if you want to try it.
Additionally additionally, for Cloudflare proxied domains, you might want to skip Certbot and Let's Encrypt and uses Cloudflare's Origin CA. (It issues certificates that are trusted by Cloudflare's CDN servers but not by browsers.)