Let’s Encrypt – tls: handshake failure [Cloudflare]

You just launched an aMiSTACX stack, and you are ready to grab your Free Cert from Let’s Encrypt, you followed all the directions, and when you go through the Let’s Encrypt process it throws an ugly error: tls: handshake failure

Only if everything was so easy to resolve, and believe me I have fallen to this error myself a few times. I start frantically checking all of my settings, and forget to check the most obvious.

All you need to do is log into your Cloudflare console where you have set your DNS A record, and flip the cloud to grey! That’s it! Now re-run the cert process. When finished, you can just flip your little cloud back to orange.

Tip! Also make sure port 80 outbound is open.

Video: aMiSTACX Cloudflare + Let’s Encrypt Segment >>

Also, since you are using a real certificate, make sure your Cloudflare is set to FULL as you won’t require the flexible option.

CertBot Cron Auto-Renewals

The same reason you cannot obtain a cert when on the Cloudflare CDN when obtaining a certificate [CDN Enabled], will also cause the cron auto-renewal process to error.

Because there are so many potential variations, we suggest customers that require a full automated process use the webroot auto-renewal process; otherwise, the easiest way to obtain a certificate prior to expiration [Every 90 days] when using Cloudflare, is to put the orange cloud next to the A record to “grey”, and then from the CLI on the EC2 aMiSTACX server issue the following commands:

sudo /usr/bin/certbot-auto renew

Then depending on your stack:

sudo service apache2 restart

sudo service nginx restart

Now turn the CDN back on by flipping the cloud back to orange.

If you are NOT using Cloudflare and you are getting a tls: handshake failure then you need to make sure your DNS resolves correctly and that the PORTS are open for 80 & 443.