Selecting The Right Challenge for VirtualBox Hosting Environemnt


Please fill out the fields below so we can help you better.

My domain is:

I ran this command: ./certbot-auto certonly --standalone --email -d

It produced this output: Failed authorization procedure. (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to for TLS-SNI-01 challenge


  • The following errors were reported by the server:

    Type: connection
    Detail: Failed to connect to for TLS-SNI-01

My operating system is (include version): Windows 10

My web server is (include version): Node Js v6.9.2/ express@4.11.2

My hosting provider, if applicable, is: Me, lol

I can login to a root shell on my machine (yes or no, or I don’t know): Yes, I have an emulated version of Ubuntu and kali that I can use. The server is hosted on Windows but has a shared folder.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I also tried using webroot I can access it normally and with automated traffic sometimes I put on a firewall when I’m away but I disabled that when running the command and waited a while to check it worked.


@TrueBoxGuy, are you saying that you’re running Certbot inside an emulator on your machine? In that case, is the inbound port 443 mapped into the emulator so that emulated programs can receive incoming network connections?


Yes it has its own ip it uses normal virtualbox settings and I can access the website from the vm


Sorry, I’m a bit confused about your setup.

You have two different IP addresses, one for the Windows host and one for the emulated Ubuntu? Is the Ubuntu guest also running a web server?


The ubuntu is connected to a shared folder where the server files are but the server runs on Windows I don’t think this causes a problem as it is a connection error.


Unfortunately, that isn’t compatible with the way that --standalone works. The --standalone option is designed to be used on a server that can directly receive incoming TCP connections from the Internet. --standalone is meant as an alternative to having an existing web server running, and doesn’t work properly in conjunction with one.

If you can write files into the Windows web server’s web content directory via the shared folder, you can probably get a certificate with --webroot instead of --standalone. In this case you might say something like

./certbot-auto certonly --webroot -w /mapped/shared/folder/location -d

This assumes that the mapped shared folder is the “web root”, corresponding to the top level of your web site (e.g., putting a file “foo.txt” in the shared folder would result in its appearing on from the outside world’s point of view).


A publically accessible IP address? Or did you portmap/opened port 443 to exactly that IP address?


The server has a public ip but I can access 443 from ubuntu I will try your command


I didn’t understand what you mean by “access 443 from Ubuntu”. Like connect to port 443 of the server from Ubuntu? The trouble with --standalone is that it expects to serve port 443 (to take over at the server for that port!), not to be able to connect to port 443.


I am changing to your webroot method of doing it as I realised that I’m not supposed to do that facepalm


I’m running it on 443 I can’t use 80 and now I’m getting this
Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin


I tried on 80 but it says there are too many certificates on so I’ll just get another dns


I have made a new domain and will wait for the dns servers to update


By the way, webroot inherently requires port 80 and can’t work on port 443. (I guess that was OK because you said below you tried on port 80.)


If (feels easy to type the wrong number of "o"s!) is a public dynamic DNS provider, they could also get added to the Public Suffix List

and this limit would be removed, and also cookies would be handled more correctly by browsers (not shared across multiple users’ sites). Some other public dynamic DNS providers have gotten themselves added, but the request has to come from the provider itself, not an end user.


Thank you so much, I will tell you if I have any problems tomorrow when the dns is updated and I can access my normal domain!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.