To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
you have an up-to-date TLS configuration that allows the server to
communicate with the Certbot client.
My web server is (include version): Ubuntu Server
The operating system my web server runs on is (include version): 16.04
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for futurestartuphero.com
tls-sni-01 challenge for www.futurestartuphero.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.futurestartuphero.com (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure, futurestartuphero.com (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: remote error: tls: handshake failure
`
DNS resolutions I do with CLOUDFLARE, and everything goes well according to what I see, if you could guide me how to solve this problem ?.
I attach my DNS record
You’re using Cloudflare not just for DNS but also for its reverse proxy functionality. This means that when a browser (or the Let’s Encrypt validation server) connects to your domain, they actually connect to Cloudflare rather than your server which appears to be on Digital Ocean.
This means:
You need a certificate on Cloudflare’s proxy for HTTPS to work for your users. Cloudflare provides this as a free service, you just need to enable it (and in fact it seems you, or they, have already done so, as your site is currently available over HTTPS with their provided certificate). This secures the connection from your users to Cloudflare’s proxy.
You probably also want to secure the connection from Cloudflare to Digial Ocean. You can do this with a Let’s Encrypt certificate, but it won’t work with the --nginx plugin because that relies on your server controlling the TLS endpoint (when in fact Cloudflare controls it). However you should be able to use --webroot or -a webroot -i nginx instead. Alternatively Cloudflare provides a service that they call “Origin CA” which can be used for the same purpose.
Sorry I can’t provide more detailed help as I don’t use Cloudflare myself.
Thank you very much for your great response, and do not say that CloudFlare had that service, in this case it is automatic https enabled I did not make any changes.
My questions based on this:
1.- At the moment where I can redirect all the requests that come from www or http to Https, in Nginx?
My current basic configuration is found in:
You can do this in Cloudflare itself, at least the HTTP to HTTPS bit can be done by enabling the "Always use HTTPS" setting. They also have page rules that can be used for the other redirects, apparently.
If you prefer to do it with nginx, I think (if I'm reading this correctly) the best route may be to set up Let's Encrypt first, to encrypt the connection from Cloudflare to Digital Ocean, and enable "Full SSL (Strict)" mode in Cloudflare. (You may want to do this anyway for better security, and certbot -a webroot -i nginx can do some of the configuration work for you). After that I believe you should be able to get the redirects working by following any standard nginx redirect tutorial.
As I said, I don't use it myself, so I can't comment on how reliable it is. Maybe someone else can.
Sure, more or less. It's just a certificate. You issue it and then install it on your server. On the off chance Cloudflare's website or API is down when you want to create it, you can wait until later.
Cloudflare's Origin certificates can be valid for up to 15 years, so you don't have to renew much.