Selecting the Best Challenge for Mail Servers that Do Not Have Web Server

Please fill out the fields below so we can help you better.

My domain

I ran this command: sudo /Users/mark/.local/share/letsencrypt/bin/certbot certonly --webroot -w /Library/Webserver/Documents -d

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Using the webroot path /Library/Webserver/Documents for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to


  • The following errors were reported by the server:

    Type: connection
    Detail: Could not connect to

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): not for a web server

The operating system my web server runs on is (include version): OSX 10.5 PPC

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @silicontrip,

The --webroot method is only for web servers. If you’re not obtaining a certificate for a web server, you shouldn’t use --webroot. (If you can tell me where you got the suggestion to use --webroot in this case, maybe we can modify the documentation or ask someone else to modify it to make this point clearer.)

If you’re trying to get a certificate on a machine that can receive connections on port 80 but that normally doesn’t run a web server on port 80, you can use certbot certonly --standalone --preferred-challenges http-01 -d If it can receive connections on port 443 but normally doesn’t run a web server on port 443, you can use certbot certonly --standalone --preferred-challenges tls-sni-01 -d In both cases, you should omit -w because -w only makes sense with --webroot, which only makes sense when running a web server.

Is not running port 80
But is running port 443:
issuer=/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G3

So maybe tls-sni is an option for it.
is running both 80 and 443:
subject=/OU=Domain Control Validated/OU=Free SSL/
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA

Gee you guys are quick. I was in the middle of editing my post as I didn’t see anywhere to ask my question and didn’t expect it to post. But you’ve got the gist of it.

I simply followed the instructions here:

Port 443 on my mail server is actually a port forward to port 465 to get around stubborn firewalls that block mail server traffic.

If I want to listen on port 80, I’ll have to contact my ISP to put in a temporary rule to allow port 80 to that host.

But I have other devices that need certificates that I don’t have control over their web content and cannot run certbot on. Is there a way I can request certificates for subdomains of my domain?

Hi @silicontrip

Then the best option is to use the DNS challenge.

This challenge required you to add certain TXT records to prove you own domains.

The TLS challenge expects a separate certificate under an SNI (acme.invalid) and I don’t believe mail servers can be configured in this manner


1 Like

Currently the widest support for different DNS providers’ APIs for using the DNS challenge is found in the client. Certbot is working on adding more of these too.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.