You just launched an aMi STACK, and you are ready to grab your Free Cert from Let’s Encrypt, you followed all the directions, and when you go through the Let’s Encrypt process it throws an ugly error: tls: handshake failure
Only if everything was so easy to resolve, and believe me I have fallen to this error myself a few times. I start frantically checking all of my settings, and forget to check the most obvious.
All you need to do is log into your CloudFlare console where you have set your DNS A record, and flip the cloud to grey! That’s it! Now re-run the cert process. When finished, you can just flip your little cloud back to orange.
Also, since you are using a real certificate, make sure your CloudFlare is set to FULL as you won’t require the flexible option.
CertBot Cron Auto-Renewals
The same reason you can not obtain a cert when on the CloudFlare CDN when obtaining a certificate [CDN Enabled], will also cause the cron auto-renewal process to error.
Because there are so many potential variations, we suggest customers that require a full automated process use the webroot auto-renewal process; otherwise, the easiest way to obtain a certificate prior to expiration [Every 90 days] when using CloudFlare, is to put the orange cloud next to the A record to “grey”, and then from the CLI on the EC2 aMi STACX server issue the following commands:
sudo /usr/bin/certbot-auto renew
Then depending on your stack:
sudo service apache2 restart
sudo service nginx restart
Now turn the CDN back on by flipping the cloud back to orange.
If you are NOT using CloudFlare and you are getting a tls: handshake failure then you need to make sure your DNS resolves correctly and that the PORTS are open for 80 & 443.