Cannot generate certificate


#1

Please fill out the fields below so we can help you better.

My domain is: eds.listonfire.com

I ran this command:
sudo certbot certonly --webroot --webroot-path /home/eds/Work/listonfire/site -d eds.listonfire.com
and
sudo certbot --apache -d eds.listonfire.com

It produced this output:
webroot produced:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for eds.listonfire.com
Using the webroot path /home/eds/Work/listonfire/site for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. eds.listonfire.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to eds.listonfire.com

default option produced:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for eds.listonfire.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. eds.listonfire.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 192.117.97.121:443 for tls-sni-01 challenge

My operating system is (include version): Ubuntu 16.04

My web server is (include version): Apache/2.4.18 (Ubuntu)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I am able to go to https://eds.listonfire.com but it comes up with a not secure state so accessing the site via ssl works. But I am unable to generate the certificate and get the error that letsencrypt could not connect to my server. The server is behind a router with port redirection.


#2

Hi @eds,

I’m not able to connect to the site with either HTTP or HTTPS. Are you sure that it’s already visible to the general public, not just from your own network?

This can sometimes interfere with the TLS-01 challenge to port 443, if the router actually terminates TLS sessions rather than just forwarding the port at the TCP level. However, the error you would see in this case is different from the one you saw.


#3

I see now that while I can reach the site without a problem it is not visible from everywhere. The domain name resolves to the proper IP address but both ping and traceroute do not complete from a server that I can ssh into. I am wondering if my ISP is not allowing some traffic in. Not sure how to debug this though.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.