I try to install the certificate SSL of my domain (order: certbot - Apache) but I obtain the following error:
Failed authorization procedure. Mydomain.fr (tls-sni-01): urn:acme:error:connection:: The server could not connect to customer the to verify the domain:: Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01 challenge
After check with my administrator of domain, @IP redirected towards domain is good (mydomain.fr. 0 In xxx.xxx.xxx.xxx).
I have a rerouting organized on my internet box (port xxx redirected towards 443) so that the various sites of my domain are accessible only by specifying this port (https://www.mydomain.fr:xxxx/mywebsite/).
It looks you’re using a machine translation tool like Google Translate. Those can be really helpful (and I’m sure people here will appreciate that you’re posting in English), but I’d like to suggest not translating the text of commands and error messages. For example, the error message got translated using the word “tea” (Fr. “thé”), which isn’t very helpful here, and I guess your command was probably certbot --apache but came through as certbot - Apache.
For the TLS-SNI-01 verification method, the TCP port number 443 of the publicly-visible IP address must directly be answered by your Apache process. It seems that this isn’t the case for your configuration, so you can’t use TLS-SNI-01.
Can you listen on port 80 of your IP address, as seen by the outside world? If so, you can use the HTTP-01 verification method instead. (Most people use this by running certbot certonly --webroot and then specifying the directory where their web page content is served from.) If you can listen on port 80 but don’t currently do so, you can also use certbot certonly --standalone --preferred-challenges http-01, which creates a temporary web server that listens on port 80.
Yes, I often think the conceptual distinction between authenticators and installers would be more confusing to people, but it can certainly be easier in terms of what they’re actually required to do!
I use “reverso” for translate. Sorry for the error, I’ve modified my text.
I think I can listen to on the port 80.
My Apache configuration listens to on the port 80, the port 80 is opened on my internet box.
But I use only “https” to reach my sites.
OK, this is probably the reason that the TLS-SNI-01 version didn’t work.
Either of the forms that we suggested using webroot can work over port 80. The version that I suggested obtains the certificate, but does not install it for you (it does not configure the web server to use it; you have to edit the configuration files to do that for yourself). The version that @Osiris suggested will also try to install the certificate for you by editing the Apache configuration files for you.
In both cases, you need to know the directory path on your system from which the web server serves files. We call this location the “webroot” or “web root”. It could be something like /var/www/html, but it can be anywhere.
Unfortunately, HTTP-01 only works on port 80 via HTTP. (There was a months-long discussion about security reasons for this, so I don't expect it to be changed.) For port 443, the only option is TLS-SNI-01.
If you don't want it to install the certificate for you, the best way is indeed certbot certonly --webroot (note two hyphens, immediately before the option webroot). "certonly" means "get (or renew) this certificate, but don't try to edit the associated webserver configuration afterward".
On my internet box, the ports specified in these URL are quite redirected towards the port 443 of the Raspberry Pi.
I do not use the http to reach my sites.
The configuration of Apache listens the port 80 and the port 443.
My question, before making the test via the port 80:
Is there a difference between the certificates which will be generated via the port 80 and those who will be him via the port 443? Clearly, if I generate them via the port 80, it will have an incidence on the access to my sites via the port 443?
I hope to have been more clear and understandable. It is not obvious in front to translate.
No. The goal of the verification process is only to prove that you control the domain. That can be done using either port 80 or port 443, with slightly different technology. Depending on how you use Certbot, it can potentially use either method. (certbot --apache uses only port 443 and assumes that an Apache server already exists that can listen on port 443. certbot --webroot uses only port 80, and assumes that some web server already exists that is listening on port 80. certbot --standalone can use either, and assumes that no other web server is listening on the chosen port.)
The certificate itself does not mention a port and can be used with any kind of TLS service on any port. This is true regardless of which method you use to prove your control of the domain.
Error message :
Failed authorization procedure. mydomain.fr (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to mydomain.fr
