Verification error of the website when obtaining SSL Certificate in ubuntu 16.04

My domain is: futurestartuphero.com

I ran this command: sudo certbot --nginx -d futurestartuphero.com -d www.futurestartuphero.com

It produced this output:

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.futurestartuphero.com
    Type: tls
    Detail: remote error: tls: handshake failure

    Domain: futurestartuphero.com
    Type: tls
    Detail: remote error: tls: handshake failure

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    you have an up-to-date TLS configuration that allows the server to
    communicate with the Certbot client.

My web server is (include version): Ubuntu Server

The operating system my web server runs on is (include version): 16.04

My hosting provider, if applicable, is: digitalocean.com

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No entended

NOTE
I have tried to generate ssl certificate by following this tutorial https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04.
It’s just the part that says, sudo certbot --nginx -d example.com -d www.example.com I throw myself the error

`hero@ubuntu-512mb-nyc3-01:~$ sudo certbot --nginx -d futurestartuphero.com -d www.futurestartuphero.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for futurestartuphero.com
tls-sni-01 challenge for www.futurestartuphero.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.futurestartuphero.com (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure, futurestartuphero.com (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure
`
DNS resolutions I do with CLOUDFLARE, and everything goes well according to what I see, if you could guide me how to solve this problem ?.
I attach my DNS record

You’re using Cloudflare not just for DNS but also for its reverse proxy functionality. This means that when a browser (or the Let’s Encrypt validation server) connects to your domain, they actually connect to Cloudflare rather than your server which appears to be on Digital Ocean.

This means:

  1. You need a certificate on Cloudflare’s proxy for HTTPS to work for your users. Cloudflare provides this as a free service, you just need to enable it (and in fact it seems you, or they, have already done so, as your site is currently available over HTTPS with their provided certificate). This secures the connection from your users to Cloudflare’s proxy.
  2. You probably also want to secure the connection from Cloudflare to Digial Ocean. You can do this with a Let’s Encrypt certificate, but it won’t work with the --nginx plugin because that relies on your server controlling the TLS endpoint (when in fact Cloudflare controls it). However you should be able to use --webroot or -a webroot -i nginx instead. Alternatively Cloudflare provides a service that they call “Origin CA” which can be used for the same purpose.

Sorry I can’t provide more detailed help as I don’t use Cloudflare myself.

2 Likes

Thank you very much for your great response, and do not say that CloudFlare had that service, in this case it is automatic https enabled I did not make any changes.
My questions based on this:
1.- At the moment where I can redirect all the requests that come from www or http to Https, in Nginx?
My current basic configuration is found in:

/ etc / nginx / sites-available / my_site

I have it in server name.

server_name futurestartuphero.com www.futurestartuphero.com;

2.- Would this CloudFlate service really be a 100% reliable option?
Thank you

You can do this in Cloudflare itself, at least the HTTP to HTTPS bit can be done by enabling the “Always use HTTPS” setting. They also have page rules that can be used for the other redirects, apparently.

If you prefer to do it with nginx, I think (if I’m reading this correctly) the best route may be to set up Let’s Encrypt first, to encrypt the connection from Cloudflare to Digital Ocean, and enable “Full SSL (Strict)” mode in Cloudflare. (You may want to do this anyway for better security, and certbot -a webroot -i nginx can do some of the configuration work for you). After that I believe you should be able to get the redirects working by following any standard nginx redirect tutorial.

As I said, I don’t use it myself, so I can’t comment on how reliable it is. Maybe someone else can.

1 Like

Thank you very much jmorahan for all your answers so illustrative that has helped me a lot with my problem

1 Like

Sure, more or less. It’s just a certificate. You issue it and then install it on your server. On the off chance Cloudflare’s website or API is down when you want to create it, you can wait until later.

Cloudflare’s Origin certificates can be valid for up to 15 years, so you don’t have to renew much.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.