Could not connect to the client to verify the domain


#1

Please fill out the fields below so we can help you better.

My domain is:office.limefamily.cn

I ran this command: sudo certbot certonly --standalone

It produced this output: The server could not connect to the client to verify the domain :: Failed to connect to 124.207.241.1:443 for TLS-SNI-01 challenge

My operating system is (include version):CentOS 7

My web server is (include version):nginx 1.11

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I doubt if let`s encrypt server can reach my site.Can someone ping it,and let me konw.


#2

Have you got a firewall or anything blocking access to 124.207.241.1 from the general internet ?


#3

I do not have a firewall. Add --standalone-supported-challenges http-01 param also get similar error message.

When i use webroot everything is OK,but I don’t want keep a port 80 opened for cert renew.


#4

Your connection is pretty slow from the U.S. It’s possible to ping your server, though.

The errors resulting from trying to connect to ports 80 and 443 are different from the errors from trying to connect to other ports, suggesting a possible firewall somewhere in the path. I’ve read that some Chinese ISPs restrict the ability for customers to receive inbound connections on ports 80 or 443, so you might want to check if this is the case for your ISP.


#5

Output of tcpdump:

IP outbound1.letsencrypt.org.36142 > localhost.localdomain.https: Flags [S], seq 3869473579, win 29200, options [mss 1448,sackOK,TS val 249426250 ecr 0,nop,wscale 7], length 0

only one related line with no ack package back.


#6

Assuming you’re running tcpdump on the server, if your server didn’t ACK the inbound SYN, isn’t that likely to be a configuration problem of some kind with the server?


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.