Certificat creation error


#1

Hello,

I try to install the certificate SSL of my domain (order: certbot - Apache) but I obtain the following error:
Failed authorization procedure. Mydomain.fr (tls-sni-01): urn:acme:error:connection:: The server could not connect to customer the to verify the domain:: Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01 challenge

After check with my administrator of domain, @IP redirected towards domain is good (mydomain.fr. 0 In xxx.xxx.xxx.xxx).

I have a rerouting organized on my internet box (port xxx redirected towards 443) so that the various sites of my domain are accessible only by specifying this port (https://www.mydomain.fr:xxxx/mywebsite/).

Would I have an error of configuration or other?

Thank you in advance.


#2

Hi @phildu31,

It looks you’re using a machine translation tool like Google Translate. Those can be really helpful (and I’m sure people here will appreciate that you’re posting in English), but I’d like to suggest not translating the text of commands and error messages. For example, the error message got translated using the word “tea” (Fr. “thé”), which isn’t very helpful here, and I guess your command was probably certbot --apache but came through as certbot - Apache.

For the TLS-SNI-01 verification method, the TCP port number 443 of the publicly-visible IP address must directly be answered by your Apache process. It seems that this isn’t the case for your configuration, so you can’t use TLS-SNI-01.

Can you listen on port 80 of your IP address, as seen by the outside world? If so, you can use the HTTP-01 verification method instead. (Most people use this by running certbot certonly --webroot and then specifying the directory where their web page content is served from.) If you can listen on port 80 but don’t currently do so, you can also use certbot certonly --standalone --preferred-challenges http-01, which creates a temporary web server that listens on port 80.


#3

@schoen Don’t forget certbot can use the apache installer (if it’s available of course!) in combination with the webroot authenticator:

certbot -i apache -a webroot --webroot-path /path/to/webroot

That way novice users won’t have to deal with the manual installation of the certificate whilst using the http-01 challenge through port 80 :slight_smile:


#4

Yes, I often think the conceptual distinction between authenticators and installers would be more confusing to people, but it can certainly be easier in terms of what they’re actually required to do!


#5

Hi schoen,

I use “reverso” for translate. Sorry for the error, I’ve modified my text.

I think I can listen to on the port 80.
My Apache configuration listens to on the port 80, the port 80 is opened on my internet box.
But I use only “https” to reach my sites.


#6

OK, this is probably the reason that the TLS-SNI-01 version didn’t work.

Either of the forms that we suggested using webroot can work over port 80. The version that I suggested obtains the certificate, but does not install it for you (it does not configure the web server to use it; you have to edit the configuration files to do that for yourself). The version that @Osiris suggested will also try to install the certificate for you by editing the Apache configuration files for you.

In both cases, you need to know the directory path on your system from which the web server serves files. We call this location the “webroot” or “web root”. It could be something like /var/www/html, but it can be anywhere.


#7

OK.

I am going to try it and would make a return.

To configure Apache myself is not a problem, which I know certificates names and their location.

Some questions:

  • I want to use https instead of http, thus port 443 and not 80. Will certificates be OK for it?

  • Do I have to use certbot certonly - webroot ?


#8

Unfortunately, HTTP-01 only works on port 80 via HTTP. (There was a months-long discussion about security reasons for this, so I don’t expect it to be changed.) For port 443, the only option is TLS-SNI-01.

If you don’t want it to install the certificate for you, the best way is indeed certbot certonly --webroot (note two hyphens, immediately before the option webroot). “certonly” means “get (or renew) this certificate, but don’t try to edit the associated webserver configuration afterward”.


#9

As my French-English translation does not explain well what I wish I am going to try to detail better.

I have 2 servers in place at my home + 1 NAS.
My 2 servers are Raspberry pi (2 and 3) with Debian Jessie.

On the Pi2, I have 4 different sites accessible by 4 URL different:

On the Pi3, I have 2 different sites accessible by 2 URL different:

On my internet box, the ports specified in these URL are quite redirected towards the port 443 of the Raspberry Pi.

I do not use the http to reach my sites.

The configuration of Apache listens the port 80 and the port 443.

My question, before making the test via the port 80:

  • Is there a difference between the certificates which will be generated via the port 80 and those who will be him via the port 443? Clearly, if I generate them via the port 80, it will have an incidence on the access to my sites via the port 443?

I hope to have been more clear and understandable. It is not obvious in front to translate.

Thank’s for your patience.


#10

No. The goal of the verification process is only to prove that you control the domain. That can be done using either port 80 or port 443, with slightly different technology. Depending on how you use Certbot, it can potentially use either method. (certbot --apache uses only port 443 and assumes that an Apache server already exists that can listen on port 443. certbot --webroot uses only port 80, and assumes that some web server already exists that is listening on port 80. certbot --standalone can use either, and assumes that no other web server is listening on the chosen port.)

The certificate itself does not mention a port and can be used with any kind of TLS service on any port. This is true regardless of which method you use to prove your control of the domain.


#11

Still, it’s quite amazing that today machine translation is good enough to permit a practical conversation.


#12

I’ve tried…
==> KO.

Error message :
Failed authorization procedure. mydomain.fr (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to mydomain.fr
:disappointed:


#13

Which command were you using there?


#14

certbot certonly --webroot

My sites are located on /var/www/html/.


#15

What happens if you try to visit that domain with a browser (using HTTP and not HTTPS)?


#16

Using HTTP…
Error message:
this site is inaccessible


#17

In order to use webroot, there must already be a web server running that is listening on port 80. It sounds like you don’t have one currently.


#18

I don’t understand the problem.
My web server run, otherwise I could not reach my sites…
And when I check Apache configuration, it’s look good…

/etc/apache2/ports.conf contain “listen 80”…

/etc/apache2/sites-enabled/000-default.conf contain “<VirtualHost *:80>”…

The port 80 is open on my internet box…

I can’t see where should be the problem…
:fearful:


#19

Could your ISP have a firewall that prevents customers from hosting their own sites on port 80 (while allowing other ports)?


#20

French ISP don’t block hosting own sites…
I’m hosting my own mail server and It works perfectly…