Certbot: Connection refused TLS-SNI-01 challenge

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sprayer4cloud.tk

I ran this command: certbot --apache

It produced this output:

My web server is (include version): Last Apache

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

2

Hi there ! I’m using Debian 9 with Apache server for my private cloud (nextcloud)

I have an issue when i want to create a certif for my domain. (sprayer4cloud.tk)

I’ve run “certbot --apache” command and the prompt say :

"Failed authorization procedure. sprayer4cloud.tk (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused.

I’ve triple check the ip redirection and it’s okay, you can try to access sprayer4cloud.tk and it works.

Maybe someone know something ahah

3

$ telnet sprayer4cloud.tk 443
Trying 81.66.197.157...
telnet: Unable to connect to remote host: Connection refused

You are using tls-sni challenge, but your server does not listen on port 443 (https) or this port is blocked.

BTW: this has nothing to do with DNS.

1 Like
4

Thank you for your answer !

I am using a DMZ so all of my traffic is route to my apache server.
I've just use this : "nmap -p 443 sprayer4cloud.tk"
And the result is : "443/tcp closed https".

So what can i do to fix this issue and finally open the 443 port ?
I've check on /etc/apache2/port.conf and the Listen 443 is here.

Thanks for your support

5

Check whether you can access port 443 locally (on your webserver):

$ telnet localhost 443

If this works, you just have to check your firewall settings.
Port 443 inbound should be open.

6

This command works perfectly !

"root@debian:/etc/apache2/sites-enabled# telnet localhost 443
Trying ::1...
Connected to localhost."

I don't use a firewall maybe i need to reboot my router. I try this and i let you know ! thx pal

7

image

I can’t understand why its not working…

8

Hi @sprayer4real,

I’ve updated the title of your thread since as @bytecamp points out (Thank you!) it isn’t related to DNS.

It looks like you might be using a SOHO router to configure a DMZ/port forward. Does that mean your server is on a residential ISP? If so you might want to inquire with your ISP about whether they block inbound 443 to customers. Several home internet providers do this and it may explain why traffic on 443 doesn’t make it to your sever even though you’ve configured an exception at the router level.

Hope that helps,

9

Thx for your help !

I’m very confused ahah check this :slight_smile:

root@debian:/etc/apache2/sites-available# nmap -p 443 sprayer4cloud.tk

Starting Nmap 7.40 ( https://nmap.org ) at 2017-09-15 15:53 CEST
Nmap scan report for sprayer4cloud.tk (127.0.0.1)
Host is up (0.000064s latency).
Other addresses for sprayer4cloud.tk (not scanned): 81.66.197.157
PORT STATE SERVICE
443/tcp open https

But when i did the same command from outside of my network the 443 port is closed…

10

That sounds like what I was describing :slight_smile: Are you on a residential internet connection? Does your ISP block 443?

11

I notice I am able to connect to an Apache server on port 80 using HTTP. It returns the default new Apache index page presently.

You may be able to use the HTTP-01 “Webroot” challenge mode of Apache with the current configuration but that will just delay your problem since you’ll still need 443 open to use HTTPS with your new certificate!

If you’re 100% certain your DMZ/port forwarding rules are correct I would begin to suspect your ISP. If you aren’t certain if the DMZ/port forwarding is correct that would be the best place to try and investigate further!

12

Thx pal for your support

I have the final word and it’s not good…

My jocking ISP block the redirection. The say “it’s a firmware problem…”

Do you think this is safe to have a private cloud only access in http ?
I think about arp-poisoning or stuff like that.

Indeed thx for your help

13

The only option is to switch my ISP in bridge mode and buy a new router ahah

14

Sorry to hear that your ISP is to blame. Frustrating!

In general I'm wary about giving security advice off the cuff without understanding the threat model & fine details. I'm obviously biased (:laughing:) but I think HTTPS/TLS are the bare minimum required for a web service to be secure in 2017.

ARP poisoning is generally a LAN-specific problem so unless your adversary is on your wifi I wouldn't worry about it :slight_smile:

Could you rent a cheap Virtual Private Server and run your cloud there? Typically a VPS is a better place to run a server than in your own home if you can afford it.

Good luck!

15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.