Certbot error in generating SSLs

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=shop4you.hu), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: shop4you.hu/www.shop4you.hu

I ran this command: certbot --apache certonly --agree-tos --email root@shop4you.hu -d www.shop4you.hu

It produced this output:
Failed authorization procedure. www.shop4you.hu (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout


  • The following errors were reported by the server:

    Domain: www.shop4you.hu
    Type: connection
    Detail: Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    My web server is (include version):
    root@server:~# apache2 -v
    Server version: Apache/2.4.18 (Ubuntu)
    Server built: 2017-09-18T15:09:02
    The operating system my web server runs on is (include version):
    root@server:~# cat /etc/os-release
    VERSION="16.04.3 LTS (Xenial Xerus)"
    PRETTY_NAME="Ubuntu 16.04.3 LTS"
    My hosting provider, if applicable, is:
    Blizoo Bulgaria
    I can login to a root shell on my machine (yes or no, or I don’t know):
    I’m using a control panel to manage my site (no, or provide the name and version of the control panel): VestaCP Version:0.9.8 (amd64) @ HP ProLiant DL380 G5 2xQuad-Core Xeon @ 3.00GHz 32GB RAM

Before I was using CWP (CentOS Web Panel) as a control panel to manage my site, but my HDD burn out and I couldnt save my certs. May be I still have them on your server for shop4you.hu/www.shop4you.hu and born2host.com/www.born2host.com. If they still exist on your server and its not a big problem please email me the certs and I will include them in the configs.
Btw I got my A records:
root@server:~# nslookup shop4you.hu

Non-authoritative answer:
Name: shop4you.hu
root@server:~# nslookup www.shop4you.hu

Non-authoritative answer:
Name: www.shop4you.hu
root@server:~# nslookup born2host.com

Non-authoritative answer:
Name: born2host.com
root@server:~# nslookup www.born2host.com

Name: www.born2host.com

Hi @dlkarakashev,

Your domain shop4you.hu has AAAA record so Let’s Encrypt will tryi to validate it using this record but your server is not accesible using the advertised IPv6 address

$ curl -IkLv6  shop4you.hu
* Rebuilt URL to: shop4you.hu/
*   Trying 2001:470:1f1a:d7::13...
* connect to 2001:470:1f1a:d7::13 port 80 failed: Connection timed out
* Failed to connect to shop4you.hu port 80: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to shop4you.hu port 80: Connection timed out

Domain www.shop4you.com has no obvious DNS configuration issues so no idea why Let’s Encrypt can’t reach your server, maybe you could post the output of /var/log/letsencrypt/letsencrypt.log

Regarding born2host.com and www.born2host.com, root servers are advertising 5 authoritative nameservers:

dig @a.gtld-servers.net born2host.com ns +norec

; <<>> DiG 9.11.1 <<>> @a.gtld-servers.net born2host.com ns +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55237
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6

; EDNS: version: 0, flags:; udp: 4096
;born2host.com.                 IN      NS

born2host.com.          172800  IN      NS      ns1.born2host.com.
born2host.com.          172800  IN      NS      ns2.born2host.com.
born2host.com.          172800  IN      NS      ns3.born2host.com.
born2host.com.          172800  IN      NS      ns4.born2host.com.
born2host.com.          172800  IN      NS      ns5.born2host.com.

ns1.born2host.com.      172800  IN      A
ns2.born2host.com.      172800  IN      A
ns3.born2host.com.      172800  IN      A
ns4.born2host.com.      172800  IN      A
ns5.born2host.com.      172800  IN      A

;; Query time: 11 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Sun Dec 31 10:54:44 CET 2017
;; MSG SIZE  rcvd: 212

But your DNS servers don’t have an A record defined for ns3, ns4 and ns5, also, your dns servers only show ns1 and ns2 as the right dns servers for the domain.

The problemn are not the certificates, you could get them from crt.sh site, for example, in this link https://crt.sh/?id=272548664 you will see the last certificate issued for shop4you.hu that covers shop4you.hu and www.shop4you.hu and in that page, if you click on the link Certificate: you will get the certificate but as I said, that is not the problem, the problem is the private key that is not saved in any place but your server and if you deleted it, that certificate is useless.

As you are using VestaCP… did you try to use their Let’s Encrypt plugin to get your certs?.

I’m sorry but I’m leaving right now so I doubt I can answer to this post till next year :smiley: but maybe other community buddies could follow it if you resolve your DNS issues and provide the Let’s Encrypt logs.

Good luck and Happy New Year :wink:

As I’m pretty new to VestaCP and Linux at all (I was working more than 12 years with BSD) I have no idea why i get this response:
root@server:/usr/local# curl shop4you.hu
curl: (7) Failed to connect to shop4you.hu port 80: Connection refused
I just went to VestaCP and stopped iptables and file2ban but still getting this. In the same time when I open http://shop4you.hu in a browser from outside (not the same network as the server) I can see it, but curl can`t see it. Why?

Hi @dlkarakashev,

We need more info to know what is going on. Maybe your domain resolves to another ip inside your network, maybe it resolves to your public ip but you are doing NAT and your router doesn’t support NAT loopback, maybe…

Show the outout of the following commands:

The v switch will show all the details of the connection, including the ip it is trying to connect:

curl -vIkL shop4you.hu

Below command should be executed as root or with sudo is you are using a normal user and will show the ports in listen status on your machine… including the process that is listening on the port (that is the reason to execute the command as root) :

ss -pltun | cat

I can see you already issued certificates for all your domains yesterday so maybe you have all working fine on your side ;).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.