Problem getting a certificate

I am trying to get an SSL certificate and I’m running into the error below. I’ll appreciate any help. Thanks.

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:sudo certbot --nginx

It produced this output: Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

My web server is (include version): Server: nginx/1.10.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.2 LTS/xenial

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

have you reviewed the user guide:

uses TLS-SNI-01 for authorization.
but there is no TLS found at that name/IP.

Either your vhost :443 settings are misconfigured or you should be using http-01.

It’s also possible that there’s a firewall or something that blocks inbound connections on port 443 (that you might not have noticed before because you weren’t using HTTPS before for anything).

Hi, Thanks for pointing me towards firewall blocking 443. Now, port 443 is open, but I am getting a different error when I run certbot --nginx. Its now saying

Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data

Here’s my nginx config:

server {
listen 443 default_server ssl;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

location / {
proxy_redirect off;
proxy_pass http://localhost:8080;
client_max_body_size 20m;

server {
listen 80;
location / {

proxy_pass http://localhost:8080;

Thanks in advance :slight_smile:

@jsha, can you tell me what circumstances can cause this error message from Boulder after the most recent update/reorganization on the Boulder side?

“Error getting validation data” is a catch-all for errors that we don’t specifically handle and turn into something nicer. Looking at the logs, I see that this particular example was “read: connection reset by peer.” That’s worth turning into a more informative error.

1 Like

@iamsram, it seems like you have some pre-existing problem with your setup because doesn’t work in a browser and also doesn’t work with openssl s_client -connect and similar commands.

Do you have any errors in your nginx logs? Or trouble with a firewall or something that prevents inbound connections on port 443?

This won’t work

Looks like you are proxying to an HTTP endpoint.

You will need to configure a self signed certificate at least for the TLS-SNI challenge to work

Otherwise try using the webroot challenge (using HTTP to serve a file)


Unless there is an include somewhere…
The vhost conf seems to be missing:
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.