Certbot - TLS-SNI Challenge Fails Due to Firewall Configurations

Please fill out the fields below so we can help you better.

My domain is:

mydomain.com

I ran this command:

letsencrypt certonly --standalone --renew-by-default -d mydomain.com -d bt.mydomain.com

It produced this output:

Failed to connect to 172.123.45.67:443 for tls-sni-01 challenge, bt.mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 172.123.45.67:443 for tls-sni-01 challenge, mydomain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: bt.mydomain.com
Type: connection
Detail: Failed to connect to 172.123.45.67:443 for tls-sni-01
challenge

Domain: mydomain.com
Type: connection
Detail: Failed to connect to 172.123.45.67:443 for tls-sni-01
challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version):

Nginx 1.12.0 but only used as a reverse proxy.

The operating system my web server runs on is (include version):

Ubuntu 16.04

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No

Letsencrypt’s been working great (for about a year now) until a week ago i’ve been starting to receive these errors preventing me from renewing. I run the renewal process weekly (cron job), which is way less often than the recommended I know.
I use Nginx as a reverse proxy and don’t use a web server, or at least I don’t think it’s enabled, thus why 172.123.45.67:443 doesn’t return anything.

But it’s never been a problem before. So do I need to enable Nginx’s web server now?

Here’s my renewal config file:

cert = /etc/letsencrypt/live/mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem

Options and defaults used in the renewal process

[renewalparams]
no_self_upgrade = False
no_verify_ssl = False
ifaces = None
register_unsafely_without_email = False
uir = None
installer = none
config_dir = /etc/letsencrypt
text_mode = True
staging = False
dry_run = False
work_dir = /var/lib/letsencrypt
tos = False
init = False
http01_port = 80
duplicate = False
noninteractive_mode = False
key_path = None
nginx = False
fullchain_path = /root/chain.pem
email = myEmail@provider.com
csr = None
agree_dev_preview = None
redirect = None
verbose_count = -3
config_file = None
renew_by_default = True
hsts = False
authenticator = standalone
domains = mydomain.com, bt.mydomain.com
rsa_key_size = 4096
verb = certonly
checkpoints = 1
manual_test_mode = False
apache = False
cert_path = /root/cert.pem
webroot_path = ,
reinstall = False
expand = False
strict_permissions = False
account = *****************32efdb09
prepare = False
manual_public_ip_logging_ok = False
chain_path = /root/chain.pem
break_my_certs = False
standalone = True
manual = False
server = https://acme-v01.api.letsencrypt.org/directory
standalone_supported_challenges = tls-sni-01
webroot = False
os_packages_only = False
func = <function obtain_cert at 0x7f7bf20dbc80>
user_agent = None
debug = False
tls_sni_01_port = 443
logs_dir = /var/log/letsencrypt
configurator = None
[[webroot_map]]

Hi @ceptonit,

I'm unable to ping or openssl s_client connect to this IP as well. Are you sure it is externally accessible? Do you have a firewall or something that might be preventing inbound traffic to the IP?

It must be accessible because https://bt.mydomain.com works fine.
And when I close the 443 port in my firewall, then https://bt.mydomain.com doesn’t work anymore, as it should.

I’m gonna try and enable Nginx’ webserver and see if that changes anything, even though I never had to before.

Well, to me it's not accessible either. So even though it might be accessible for you locally, it is not reachable externally. You can check that yourself by trying to validate your page for example with https://validator.w3.org/

1 Like

Also not working for me from here. So maybe there is a network connectivity issue of some kind.

1 Like

oh shoot, you folks are right, I just tried from my cell phone as well.
Looking into it!

Will report back

So yes, it was a firewall issue, it’s all good now, thanks for your help :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.