Debian Apache: The server could not connect to the client to verify the domain


#1

I’m seeing the following errors when I use this command on Debian Jessie, with Apache ./letsencrypt-auto --apache --text -vv

Failed authorization procedure. $HOSTNAME (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

  • The following ‘urn:acme:error:connection’ errors were reported by
    the server:

    Domains: $HOSTNAME
    Error: The server could not connect to the client to verify the
    domain

My server is listening on port 443, but obviously is not currently serving up valid SSL yet, and my machine seems to be able to resolve itself via DNS.

Any ideas?

Following is a pretty-printed version of the response I got back from letsencrypt -vv

{'Content-Length': '910', 'Expires': 'Wed, 06 Jan 2016 20:43:35 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Wed, 06 Jan 2016 20:43:35 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'YqOH731ogMeJoKmrt81Wl5QzBgWWul7D0qw_M5QHc-0'}): '{"identifier":{"type":"dns","value":"$HOSTNAME"},"status":"invalid","expires":"2016-01-13T20:43:28Z","challenges":[{"type":"tls-sni-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"Failed to connect to host for DVSNI challenge"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/9W0gK6F36_tVdBJ-xGdnhum96rxRbchKT9BH4HXKWFM/4855107","token":"AnkNfz4YVPP5IfJOjmv7ChDAirpFIXd4M_3lidOy3aU","keyAuthorization":"AnkNfz4YVPP5IfJOjmv7ChDAirpFIXd4M_3lidOy3aU.qka3_mhdMcaWe_LUMPcmrgbvpa1fOj0CWh-iHSEDy2E","validationRecord":[{"hostname":"$HOSTNAME","port":"443","addressesResolved":["$IP_ADDR"],"addressUsed":"$IP_ADDR"}]},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/9W0gK6F36_tVdBJ-xGdnhum96rxRbchKT9BH4HXKWFM/4855108","token":"sTIH9yTG1cRK7A94aJHnH7oTYVt4bLSmrBDOYhLfmQQ"}],"combinations":[[1],[0]]}' } }


#2

Is your server responding to https on port 443 ? or incorrectly - http ? is the SSL cert for the correct domain ?

You may be better turning of https if it doesn’t correctly work via https currently.


#3

Currently SSL is switched off entirely on the server. netstat tells me nothing is currently listening on TCP port 443.


#4

OK, if the same error, then you will need to open up port 443 and use a self signed cert for the domain name ( temporarily) whilst it checks and will then provide a full SSL cert…


#5

Great, that’s fixed it. Thanks!