Apache first or certbot first?

My debian(8) host has an Apache2 web server that connects to a tomcat backend. At the moment it is configured for http only.

For security I want to exclusively use https and installed the certbot package to set up SSL first, then Apache2.

When I run

$ certbot --apache --domains rng-xnat.ecloud.vumc.nl

I get an error about the first challenge (tls-sni-01):

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for rng-xnat.ecloud.vumc.nl
Enabled Apache socache_shmcb module
Enabled Apache ssl module
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from ‘char *’ to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. rng-xnat.ecloud.vumc.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout


  • The following errors were reported by the server:

    Domain: rng-xnat.ecloud.vumc.nl
    Type: connection
    Detail: Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I have the ssh, http and https ports open in the firewall and I can open the site in my browser, so I’m not sure why certbot fails to connect to my host?

$ telnet rng-xnat.ecloud.vumc.nl 443

$ telnet rng-xnat.ecloud.vumc.nl 80

From my point of view, I cannot connect to your host via http/https.

Thanks! I found the same on a website from outside my workplace’s domain. IP address works, hostname doesn’t. Will need to call the IT department for that. For the firewall options i have ports 22, 80, 443 and 8080 open.

From inside the domain I can do all those telnet options, EXCEPT port 443. It says: connection refused.

But as I said in my first post, I started setting up SSL because the Apache setup for HTTPS requires the SSL certificates to already be there? So this feels a bit like a catch-22: to get SSL I need Apache2 to already work for port 443, but to get it working I need the SSL certificate.

I get the feeling that I am missing something, probably something basic.

You don’t need to setup SSL beforehand. Look at the webroot-plugin, which places the challenge files for http-01 authentication at a user-configurable place. Or use apache-plugin which automagically configures Apache during authorization and may even setup Apache for SSL after certificate issuance.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.