My debian(8) host has an Apache2 web server that connects to a tomcat backend. At the moment it is configured for http only.
For security I want to exclusively use https and installed the certbot package to set up SSL first, then Apache2.
When I run
$ certbot --apache --domains rng-xnat.ecloud.vumc.nl
I get an error about the first challenge (tls-sni-01):
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for rng-xnat.ecloud.vumc.nl
Enabled Apache socache_shmcb module
Enabled Apache ssl module
/usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from ‘char *’ to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. rng-xnat.ecloud.vumc.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
The following errors were reported by the server:
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I have the ssh, http and https ports open in the firewall and I can open the site in my browser, so I’m not sure why certbot fails to connect to my host?