Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

alexjustesen's avatar

Unable to obtain LetsEncrypt SSL cert (some challenges have failed)

Hey all

I'm trying to deploy a site to Forge and running into an issue when trying to add an SSL certificate using LetsEncrypt.

I'm using Cloudflare as my DNS provider and DigitalOcean as my server provider. The DO server has a floating IP address which is what I added to Cloudflare's DNS records.

Below is the error output, any help would be greatly appreciated.

--2019-06-18 19:47:26--  https://forge-certificates.laravel.com/le/####/####?env=production
Resolving forge-certificates.laravel.com (forge-certificates.laravel.com)... ###.##.#.##, ###.##.#.##, ####:####:##::####:###, ...
Connecting to forge-certificates.laravel.com (forge-certificates.laravel.com)|###.##.#.##|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘letsencrypt_script1560887246’

     0K ..                                                     26.4M=0s

2019-06-18 19:47:26 (26.4 MB/s) - ‘letsencrypt_script1560887246’ saved [2746]

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for justesen.tech
dns-01 challenge for justesen.tech
Unsafe permissions on credentials configuration file: letsencrypt/creds.ini
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Challenge failed for domain justesen.tech
Challenge failed for domain justesen.tech
dns-01 challenge for justesen.tech
dns-01 challenge for justesen.tech
Cleaning up challenges
Some challenges have failed.
cp: cannot stat '/etc/letsencrypt/live/certificate/privkey.pem': No such file or directory
cp: cannot stat '/etc/letsencrypt/live/certificate/fullchain.pem': No such file or directory
0 likes
7 replies
mstrauss's avatar

I saw this reply post on the Medium article you referenced and since it also mentions Cloudflare, I thought it might be applicable to your question. Especially since your error output includes Challenge failed for... (DNS).

I hope this helps!

DigiProduct's avatar

@alexjustesen This isn't a direct answer to your question, but you might find it helpful info anyway.

I wanted to implement a Laravel site via Digital Ocean and was having some difficulty with Laravel Forge, so did some searching here on Laracasts, and while doing that came across a thread about Forge Alternatives

https://laracasts.com/discuss/channels/servers/forge-alternatives

In that thread I found a mention of https://moss.sh and decided to try it out ... it does LetsEncrypt too ... and it's much easier than Forge

And, they have Live Chat too ... so you can get a real person to help you.

Hope that helps.

alexjustesen's avatar
alexjustesen
OP
6 years ago
Best Answer
Level 2

Alright, so figured it out.

Needed to change Cloudflare's SSL setting to "Flexible" to reach the web server (Crypto -> SSL). You can then issue an SSL cert, once that's done change the SSL settings on Cloudflare back to "Full" per the articles recommendations.

1 like
ndr3svt's avatar

Hey all, I found a useful solution for this problem.

In Cloudflare you can generate origin SSL /TLS at the dashboard under Overview make sure that Full (Strict) is selected. You want Full Strict for certain third party services to work without issues. We had some trouble with AWS once we switched from Full Strict to Full.

And under SSL/TLS -> Origin Server-> Origin Certificates, Click on -> Create Certificate

Here you can create certificates. I used the RSA encryption algorithm, and under hostnames you can add as many hostnames as you wish which are associated to your maintained sites under Forge, including their wildcards

After creating your Certificates, copy your certificate and your key and store it in a safe location. It is better to maintain open this section as once is closed you will never be able to see the key again.

Proceed then to your Site Dashboard in Forge, and under SSL instead of using Let's Encrypt, use Install Existing Copy and Paste both, the key and the certificate in the corresponding text fields, and click on "Install Certificate", it will quickly proceed and you shall see an "Activate" button. Verify as well that your Nginx Configuration File has the correct paths to the certificate and the key "Edit Files" -> "Edit Nginx Configuration"

and then edit or uncomment the lines pasting the path to your certificate and for the key use the same path but replace .crt with .key

FORGE SSL (DO NOT REMOVE!)

ssl_certificate /etc/nginx/ssl/yoursubdomain.yourdomain.com/123456/server.crt;
ssl_certificate_key /etc/nginx/ssl/yoursubdomain.yourdomain.com/123456/server.key;

Click on Save and you should see a green confirmation that the configuration file is ok. If there is an error you will see a red text and an error message pointing at a missing certificate file or other corrupt configuration.

Click on the button "Activate", wait for the Active confirmation to appear and you are set. You should be able to access your sites in secure mode with no bad SSL handshakes or any other trouble.

The certificates are btw. valid for 15 years... but you can modify this upon creation

2 likes
Inigo's avatar

@ndr3svt No idea how this comment has sat here for 2 years with zero responses and zero upvotes... THANK YOU!

Please or to participate in this conversation.