Using --staging flag is successful, Fails without it

I am going to be honest, I thought I was going to be done securing my site with TLS 3 hours ago but boy was I wrong. There is usually not an error I can’t fix after a few minutes but this just ridiculous. When generating a certificate with the staging server everything works. As soon as I remove --staging from the command I get the error below. I am running my site though Cloudflare but I have disabled the routing option so it only acts as a DNS. Any help would be appreciated. It is fairly late so I do not expect a reply tonight and I will update with any solutions I find in the meantime.

My domain is:

I ran this command: sudo certbot certonly --webroot --webroot-path=/var/www/html/arkservers -d -d

It produced this output:
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Using the webroot path /var/www/html/arkservers for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Timeout, (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Timeout


My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Well of course I have resolved this issue. I decided to use the command that does everything for you (certbot --nginx) and it magically worked. Funny because I ran this command earlier and it failed to change the configuration files.

Hi @wfisher,

certbot --webroot and certbot --nginx use very different methods of providing your control over the domain name, so the fact that one of them worked and the other didn’t suggests that the problem is something about your network configuration that was a problem for ACME HTTP-01 authentication and not for TLS-SNI-01.

Right now I’m seeing some redirection loops, but I’m not sure whether those existed when you were testing before.

It does look like you’ve re-enabled Cloudflare as a CDN. One thing you should be careful about is that the TLS-SNI-01 authentication method used by certbot --nginx does not work for hosts behind CDNs (it requires a direct HTTPS connection with the machine running Certbot, not a proxy). By contrast, the HTTP-01 authentication method used by certbot --webroot does work behind CDNs. So, renewals with certbot renew will not work unless you disable Cloudflare proxying at the moment of the renewal or else figure out how to switch the authentication back to HTTP-01 and get that to work.

I’m sure I and other people on the forum would be happy to help you try to figure out what’s going on with the HTTP-01 authentication if you’d like. (You don’t necessarily have to disable Cloudflare to try it again.)

1 Like

Thanks for the reply! Redirects were due to a merge of nginx configs I did where http was directing to https then back. I fixed that and as of now I have everything working. As for the issue with Cloudflare, I may just disable it for now as I only really use it to keep all of my DNS information on a central platform.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.