Certbot - Apache Plugin with TLS-SNI Challenge and CNAME


#1

Hi,

I successfully had my letsencrypt certificate for xxx.fr and phpmyadmin.xxx.fr one year ago. Now, I would like to add some new subdomain, but I get an error when running

#letsencrypt --apache 

Failed authorization procedure. newsubdomain.xxx.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to xx.xx.xx.xx:443 for tls-sni-01 challenge, phpmyadmin.xxx.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to xx.xx.xx.xx:443 for tls-sni-01 challenge, xxx.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to xx.xx.xx.xx:443 for tls-sni-01 challenge

IMPORTANT NOTES:
 - The following errors were reported by the server:


   Domain: xxx.fr
   Type:   connection
   Detail: Failed to connect to xx.xx.xx.xx:443 for tls-sni-01
   challenge

   Domain: newsubdomain.xxx.fr
   Type:   connection
   Detail: Failed to connect to xx.xx.xx.xx:443 for tls-sni-01
   challenge

   Domain: phpmyadmin.xxx.fr
   Type:   connection
   Detail: Failed to connect to xx.xx.xx.xx:443 for tls-sni-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

This is hosted on a VPS provided by OVH.

I have a A field : xxx.fr. -> xx.xx.xx.xx which I checked and is correct
I have 2 CNAME fields : phpmyadmin.xxx.fr. -> xxx.fr. and mysubdomain.xxx.fr. -> xxx.fr.

I have in my firewall:

# HTTP
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT

# HTTPS In
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

So I don’t get what could be wrong…

I checked similar questions, but it doesn’t seem to apply to me…

Thanks a lot for any help provided !


#2

Hi @Sharcoux,

I don’t use apache switch nor tls-sni-01 challenge, I prefer certonly and webroot but could you please show the last output of /var/log/letsencrypt/letsencrypt.log?.

Could you please show the contents of /etc/letsencrypt/renewal/lecxxxxxxxxxxrce.fr.conf ?

And the version of letsencrypt: letsencrypt --version

Note: there is no need to obfuscate your domain, you forgot to mask the ip in your post and is easy to know that your domain is lecxxxxxxxxxxrce.fr.

Cheers,
sahsanu


#3

Hi @Sharcoux

A) Check your VHOST Configs for your other domains have HTTPS (443) Listeners associated to them
B) Check you can connect via HTTPS from the outside world to your domains (firewall check)

Andrei


#6

OMG ! I’m sorry, I just remembered that I enabled sslh to be able to receive ssh and https on port 443! So local trafic was mapped on different ports. Using --tls-sni-01-port option with the correct port fixed the issue. Thanks for your time.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.