1. General Results, most used to calculate the result A name "103.254.12.55" is ipv4 address, public suffix is not defined A good: All ip addresses are public addresses A Good: No cookie sent via http. A Good: Some urls with http status 200/404 have a complete Content-Type header (MediaType / MediaSubType + correct charset):1 complete Content-Type - header (4 urls) http://103.254.12.55/ 103.254.12.55 Url with incomplete Content-Type - header - missing charset https://103.254.12.55/ 103.254.12.55 Url with incomplete Content-Type - header - missing charset https://103.254.12.55/ 103.254.12.55 Url with incomplete Content-Type - header - missing charset B https://103.254.12.55/ 103.254.12.55 Missing HSTS-Header C Error - more then one version with Http-Status 200. After all redirects, all users (and search engines) should see the same https url: Non-www or www, but not both with http status 200. H Fatal error: http result with http-status 200, no encryption. Add a redirect http ⇒ https, so every connection is secure. Perhaps in your port 80 vHost something like "RewriteEngine on" + "RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]" (two rows, without the "). Don't add this in your port 443 vHost, that would create a loop. N https://103.254.12.55/ 103.254.12.55 Error - Certificate isn't trusted, RemoteCertificateNameMismatch N https://103.254.12.55/ 103.254.12.55 Error - Certificate isn't trusted, RemoteCertificateNameMismatch N 103.254.12.55:2222 Error - Certificate isn't trusted, RemoteCertificateNameMismatch 2. DNS- and NameServer - Checks 3. Content- and Performance-critical Checks A Good: All checks /.well-known/acme-challenge/random-filename without redirects answer with the expected http status 404 - Not Found. Creating a Letsencrypt certificate via http-01 challenge should work. If it doesn't work: Check your vHost configuration (apachectl -S, httpd -S, nginx -T). Every combination of port and ServerName / ServerAlias (Apache) or Server (Nginx) must be unique. Merge duplicated entries in one vHost. If you use an IIS, extensionless files must be allowed in the /.well-known/acme-challenge subdirectory. Create a web.config in that directory. Content: <configuration><system.webServer><staticContent><mimeMap fileExtension="." mimeType="text/plain" /></staticContent></system.webServer></configuration>. If you have a redirect http ⇒ https, that's ok, Letsencrypt follows such redirects to port 80 / 443 (same or other server). There must be a certificate. But the certificate may be expired, self signed or with a not matching domain name. Checking the validation file Letsencrypt ignores such certificate errors. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask. A Good: No https + http status 200 with inline CSS / JavaScript found A Good: Every https result with status 200 has a minified Html-Content with a quota lower then 110 %. https://103.254.12.55/ 103.254.12.55 Warning: Https connections (Standard Port 443) found without support of the http/2 protocol via ALPN. Http/2 is the new Http-Version (old: http 1.1) with some important new features. Update your server software so http/2 is available. Only one TCP-connection per Server (that's a performance boost), Header-Compression and Server Pushs are available. Domain Sharding and Inline-CSS/Javascript shouldn't used with http/2. https://103.254.12.55/ 103.254.12.55 Warning: Https connections (Standard Port 443) found without support of the http/2 protocol via ALPN. Http/2 is the new Http-Version (old: http 1.1) with some important new features. Update your server software so http/2 is available. Only one TCP-connection per Server (that's a performance boost), Header-Compression and Server Pushs are available. Domain Sharding and Inline-CSS/Javascript shouldn't used with http/2. A Info: No img element found, no alt attribute checked A Duration: 40910 milliseconds, 40.910 seconds