Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: certbot --staging --standalone certonly --preferred-challenges tls-sni
It produced this output: certbot --staging --standalone certonly --preferred-challenges tls-sni
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c’
to cancel):clilime.com www.clilime.com
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for clilime.com
tls-sni-01 challenge for www.clilime.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. clilime.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b07a3135a202151914d59a27c6edc309.d789997d2571422fd76871be986d0c9f.acme.invalid from 130.204.138.26:443. Received 1 certificate(s), first certificate had names “localhost”, www.clilime.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b80be39318dd965cd7a08757e4705c1f.2a865c01005741f503940416d08cca2f.acme.invalid from 130.204.138.26:443. Received 1 certificate(s), first certificate had names “localhost”
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: clilime.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
b07a3135a202151914d59a27c6edc309.d789997d2571422fd76871be986d0c9f.acme.invalid
from 130.204.138.26:443. Received 1 certificate(s), first
certificate had names “localhost”
Domain: www.clilime.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
b80be39318dd965cd7a08757e4705c1f.2a865c01005741f503940416d08cca2f.acme.invalid
from 130.204.138.26:443. Received 1 certificate(s), first
certificate had names “localhost”
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
My web server is (include version): No web server, hence the the standalone and certonly. It’s meant for an app server.
The operating system my web server runs on is (include version): Debian 9
My hosting provider, if applicable, is: godaddy
I can login to a root shell on my machine (yes or no, or I don’t know): yes, running with root from virtual machine
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
And yes, it is serving a self-signed certificate covering localhost domain:
$ echo | openssl s_client -connect clilime.com:443 -servername clilime.com
CONNECTED(00000003)
depth=0 CN = localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = localhost
verify return:1
---
Certificate chain
0 s:/CN=localhost
i:/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICqDCCAZKgAwIBAgIIJ84Rl1zjODswCwYJKoZIhvcNAQELMBQxEjAQBgNVBAMT
CWxvY2FsaG9zdDAiGA8yMDE3MTAxNzEyMjMwNFoYDzIwMjcxMDE1MTIyMzA0WjAU
MRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCep+7huzH3DU/pZWn0DuPyCy19jUN+ruSVqvvm0YzqAksKJ/9cn5jSwzKj
1GWI0CyRN2fSldji/tuXmIwkCSfOwKBZ+066nzQREhI/MS+xLJhJ4MMr+tXhTYYU
bm+6k0/PC2vIuVKqmlfD0NEcqk/JNICdy4zs/gOZsugMozK2BgwJ47hT35gwi+ms
NP9PAnv1f145/ZA+7071Oh1uqri09tifxMF4tcRFJGRFY4mgkajBHoXLLUTMaVg6
0+V/dpgLOgt85j/YmryI2WQDw1+Jyg+SmAobpIgN6QRFq7gofg9QV/1PP6Ll9yBT
EdiMnw+W6Db6NuM7qbpEpUsxi1ePAgMBAAEwCwYJKoZIhvcNAQELA4IBAQCHCS+G
EUYOoGzBt/AVYTL9BqVvsv/B6mHSy79cKU8Sg7RO3EQRdovCY9TgWzn2fCkTY9ow
O4W3hPS/obWceMFTjkXrzEtP1Dgl9ZPz40P8HGNZPuiUariu5P1NYMejqYxx3l4E
zt02UFHvcgDT/pDWxqIKvYW9RVBf/VSzqqcSX2KRxw949Q9k+A7VgS+CpNm9O4pr
KXOJ7HrkRG0H9SNQunqi7np8eU6A/VXWbozYKOIGdcmqCdJn1oUHiQeZ0bAtzfQ8
TknQermFT2u7LHjHjyWZ4209Qt7Kwxle1ZcYk1jtfkQZcGe9Nj/5VlBK2T/Ylbzb
S2GZC7SGuwCAHc1v
-----END CERTIFICATE-----
subject=/CN=localhost
issuer=/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1168 bytes and written 322 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 59E60F31D8988364E9921D6C73B01234C277BB5838F35C0A9DCE49C26345A7E5
Session-ID-ctx:
Master-Key: DC898649BDE3256E2C88615618B0B63F7E6D2EB6E182DE1D73E23FC6B9EEC18D715F6CED6D01D9B1D1F757DAE3EA1F52
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1508249393
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
---
DONE
So, certbot can't bind to port 443 to server TLS-SNI-01 challenge because WildFly is already listening on this port. If you want to use standalone mode you should stop WildFly server first.
