Could not connect to mydomain.com.well-known


#1

Please fill out the fields below so we can help you better.

I ran this command: ./certbot-auto renew --dry-run

It produced this output:
Attempting to renew cert from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Failed authorization procedure. mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to mydomain.com.well-known. Skipping.

My web server is (include version): apache2

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I´m getting the showed error message while running a dry-run. I think there is a problem in the domain name config because of this "Could not connect to "mydomain.com.well-known"
Shouldn´t it be "mydomain.com/.well-known"
I can reach it in my browser. My question is: How to change this?


#2

Probably a redirect gone wrong (missing a /). But b/c you didn’t post your real hostname, I can’t check that.


#3

Okay thank you. Its: smarthome-vergleich24.de


#4

As I suspected, you’re redirecting HTTP to HTTPS. That’s fine, the Let’s Encrypt will just follow the redirect, but the redirect is broken:

osiris@desktop ~ $ curl -LI http://smarthome-vergleich24.de/.well-known/acme-challenge/foo
HTTP/1.1 301 Moved Permanently
Date: Tue, 07 Mar 2017 21:29:23 GMT
Server: Apache
Location: https://smarthome-vergleich24.de.well-known/acme-challenge/foo
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

curl: (6) Could not resolve host: smarthome-vergleich24.de.well-known
osiris@desktop ~ $ 

See? Your redirect is missing a / after the hostname. So you’ll have to go into your Apache configuration for this hostname (HTTP) and add a / to the redirect code.


#5

Oh man thank you! That was it!


#6

While you’re at it, you might want to improve your servers configuration even further:

osiris@desktop ~ $ openssl s_client -connect smarthome-vergleich24.de:443 -servername smarthome-vergleich24.de
CONNECTED(00000003)
depth=0 CN = smarthome-vergleich24.de
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = smarthome-vergleich24.de
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=smarthome-vergleich24.de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
(...)

The intermediate certificate is missing. As all browsers only contain the root certificates of CA’s and such an intermediate is used between the root and actual server certificate, clients need this intermediate to “complete” the chain to the root certificate.

That’s probably because you’ve used cert.pem without using chain.pem. If you’re using Apache version before 2.4.8 you’ll need to add the directive SSLCertificateChainFile and point it to the appropriate chain.pem (same folder as your cert.pem and privkey.pem currently). Or, if your Apache version is the same or newer than 2.4.8 just change cert.pem to fullchain.pem (this latter is a file containing cert.pem+chain.pem in one file).


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.