Apache (Amazon Linux) - TLS-SNI Challenge Not Passing as Port HTTPS on Port 443 Not Available


#1

I read all the threads about this error, but I could not solve my problem in 1 month.

The following error appears when I run the command line:

sudo ./certbot-auto --debug -v --server https://acme-v01.api.letsencrypt.org/directory certonly -d mercadocaseiro.com

I imagine the problem is port 443, but I do not know how to fix it, I’ve already disabled the firewall on my machine.

FailedChallenges: Failed authorization procedure. mercadocaseiro.com (tls-sni-01): 
urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to 
connect to 54.207.89.141:443 for tls-sni-01 challenge


IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mercadocaseiro.com
   Type:   connection
   Detail: Failed to connect to 54.207.89.141:443 for tls-sni-01
   challenge

 To fix these errors, please make sure that your domain name was
 entered correctly and the DNS A record(s) for that domain
 contain(s) the right IP address. Additionally, please check that
 your computer has a publicly routable IP address and that no
 firewalls are preventing the server from communicating with the
 client. If you're using the webroot plugin, you should also verify
 that you are serving files from the webroot path you provided.

This is my httpd.conf:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName mercadocaseiro.com
ServerAlias mercadocaseiro.com *.mercadocaseiro.com
SSLEngine on
UseCanonicalName on
SSLStrictSNIVHostCheck on

LimitRequestBody 1048576

DocumentRoot /var/www/html
</VirtualHost> 
</IfModule>

Thank you!


How to renew certificate?
#2

By default the Security Groups on AWS do not have inbound rule allowing connection to the port 443. Go to console and create one.

See:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
http://blog.learningtree.com/understanding-amazon-ec2-security-groups-and-firewalls/

If you need some visual assistance, just search youtube for:

aws "security group"

So check that as a starting point and go from there.


#3

leader thanks for answering. When I create the instances in Amazon, I already leave the Security Groups configured with the ports 22, 80 and 443.

Mine Inbound is like this:

HTTP TCP 80 0.0.0.0/0
SSH TCP 22 0.0.0.0/0
HTTPS TCP 443 0.0.0.0/0

#4

Are you currently running a web server on that machine that speaks HTTPS? It’s not possible to connect to https://mercadocaseiro.com/ at all.

The TLS-SNI-01 authentication method that the client is trying to use normally assumes that either (1) you already have a web server like Apache running that Certbot can configure to listen on port 443, or (2) you’re using --standalone to allow Certbot to create its own temporary web server listening on port 443.

It would seem that your Apache configuration would be appropriate here but I would then expect to be able to load https://mercadocaseiro.com/. The inability to do so does suggest a firewall problem to me, maybe still something to do with the AWS firewall.

For comparison, you could try to stop Apache and then run

echo hello | sudo nc -l 443

on your server and then

nc mercadocaseiro.com 443

on a different Internet-connected machine. If you don’t see hello, your computer is not in fact able to receive incoming connections on port 443 at all (because of a firewall or something similar).


#5

Hi schoen.

I am not accessing HTTPS because I have not still enabled it, but it is already configured in the security group of my server.

The result of the test that you gave me was this:

[ec2-user@ip-172-31-1-156 ~]$ echo hello | sudo nc -l 443
nc: Address already in use
[ec2-user@ip-172-31-1-156 ~]$ nc mercadocaseiro.com 443
hello

But I really do not know what to do to install the certificate. Now I’ll have to wait because I’ve used all possible requests trying to install.


#6

Are these on two different computers? How could the “hello” have been transmitted if the nc command failed?

The rate limit in question will expire after one hour, so you shouldn’t have to wait very long. You can also try with --staging to get a certificate from the testing server, which has much looser rate limits (but the certificates from what server are not accepted as valid by web browsers, and are just intended for testing purposes).


#7

I just tested it on my computer because I do not have another one here and the result is what I sent.

I tried again now and I received this error for the first time a different error than I opened this topic:

 IMPORTANT NOTES:
   - The following errors were reported by the server:

   Domain: mercadocaseiro.com
   Type:   unauthorized
   Detail: Invalid response from
   http://mercadocaseiro.com/.well-known/acme-challenge/_sxKsAcBKs79iEOCNCcuvUBJ                                                                                        SVl9NizY8yfiPSrD_rE:
   "<!DOCTYPE html>
   <html lang="pt-BR" class="no-js">
   <head>
           <meta charset="UTF-8">
       <link rel="profile" href="http://gmpg.o"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

#8

schoen I got it :slight_smile:

Put it in /var/www/html

But now I don’t know what to do with this orientation:

Edit your SSL config…
$ sudo nano /etc/httpd/conf.d/ssl.conf
Set SSLCertificateFile to your Certificate path (see #5 above).
Set SSLCertificateKeyFile to your Private Key path (see #5 above).
Set SSLCertificateChainFile to your Full Chain path (see #5 above).


#9

This is running with a different authentication method, which probably means a slightly different Certbot command line. The first example that you gave had an error related to TLS-SNI-01 authentication (which uses port 443 and is often a result of using --apache for your authentication in Certbot), while the newer one has an error related to HTTP-01 authentication (which uses port 80 and is often a result of using --webroot).

If you want to use the HTTP-01 authentication method, you have to identify the correct webroot directory to specify with -w and then make sure that files that Certbot creates can be served from that location.


#10

Aha, I’m glad you managed to get the certificate. (It looks like my explanation came a few seconds after your success!)

Are you familiar with using any Unix text editor to edit configuration files?


#11

I didn’t nothing different, and work. Indeed I used webroot for first time.

I don’t know edit text for Unix.


#12

Hi @Rafaelhgb,

There is one alternative where you can ask Certbot to install the certificate for you by editing your Apache configuration.

In order to do this, you should run exactly the same command that you previously used to obtain the certificate, but make the following changes:

  • instead of certonly, type run

  • add to the command the options -i apache --reinstall

In this case, Certbot will then try to edit your Apache configuration to install the certificate that you already have.


#13

@schoen I configured the ssl.conf file like this:

<IfModule mod_ssl.c>
     <VirtualHost *:443>
            ServerAdmin contato@mercadocaseiro.com
            ServerName mercadocaseiro.com
            DocumentRoot /var/www/html

            SSLEngine on

            SSLCertificateFile    /mydirectory/cert.pem
            SSLCertificateKeyFile /mydirectory/fullchain.pem
	SSLCertificateChainFile /mydirectory/privkey.pem

    </VirtualHost>
</IfModule>

And my httpd.conf is like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
 ServerName mercadocaseiro.com
ServerAlias mercadocaseiro.com *.mercadocaseiro.com
SSLEngine on
 UseCanonicalName on
 SSLStrictSNIVHostCheck on

 LimitRequestBody 1048576

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile    /mydirectory/cert.pem
            SSLCertificateKeyFile /mydirectory/fullchain.pem
	SSLCertificateChainFile /mydirectory/privkey.pem


DocumentRoot /var/www/html
</VirtualHost>
</IfModule>

But it’s like if my certificate was not active yet.

You know could be the problem?


#14

I had a conflict in the installation of mod_ssl, so I installed mod24_ssl that created the ssl.conf file and made the targeting of the certificate directories:

SSLCertificateFile /directory/domain/cert.pem
SSLCertificateKeyFile /directory/domain/privkey.pem
SSLCertificateChainFile /directory/domain/fullchain.pem

In addition, I have changed the IfModule of httpd.conf from to .

In this way the certificate was enabled.

Thank you @schoen!


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.