Debian Jessie apache 2 plugin "urn:acme:error:connection" errors


#1

When trying to use the apache plugin on my server, I get the following response

	Which names would you like to activate HTTPS for?
	-------------------------------------------------------------------------------
	1: jupiter.valimmoblier.ch
	2: valimmobilier.ch
	3: www.valimmobilier.ch
	-------------------------------------------------------------------------------
	Select the appropriate numbers separated by commas and/or spaces (Enter 'c' to
	cancel):2 3
	2015-12-29 14:36:07,676:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
	2015-12-29 14:36:08,056:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0011_key-letsencrypt.pem
	2015-12-29 14:36:08,060:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0011_csr-letsencrypt.pem
	2015-12-29 14:36:08,063:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
	2015-12-29 14:36:08,343:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
	2015-12-29 14:36:08,599:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
	2015-12-29 14:36:08,848:INFO:letsencrypt.auth_handler:Performing the following challenges:
	2015-12-29 14:36:08,848:INFO:letsencrypt.auth_handler:tls-sni-01 challenge for valimmobilier.ch
	2015-12-29 14:36:08,848:INFO:letsencrypt.auth_handler:tls-sni-01 challenge for www.valimmobilier.ch
	2015-12-29 14:36:12,752:INFO:letsencrypt.auth_handler:Waiting for verification...
	2015-12-29 14:36:12,761:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
	2015-12-29 14:36:13,013:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
	2015-12-29 14:36:16,258:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
	2015-12-29 14:36:16,495:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
	2015-12-29 14:36:16,708:INFO:letsencrypt.reporter:Reporting to user: The following 'urn:acme:error:connection' errors were reported by the server:

	Domains: valimmobilier.ch, www.valimmobilier.ch
	Error: The server could not connect to the client to verify the domain
	2015-12-29 14:36:16,708:INFO:letsencrypt.auth_handler:Cleaning up challenges
	Failed authorization procedure. www.valimmobilier.ch (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge, valimmobilier.ch (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

	IMPORTANT NOTES:
	 - The following 'urn:acme:error:connection' errors were reported by
	   the server:

	   Domains: valimmobilier.ch, www.valimmobilier.ch
	   Error: The server could not connect to the client to verify the
	   domain

This is a newly setup Jessie Machine, the site www.valimmoblier.ch is reachable from the internet.


#2

Do you have a .htaccess ( or other) redirect that could be preventing access to valimmobilier.ch/.well-known/acme-challenge/xxxxxx files ?

If you manually place a file there, can you reach it in the browser ?


#3

No .htaccess

Yes : http://valimmobilier.ch/.well-known/acme-challenge/123.txt


#4

The apache plugin uses tls-sni-01 via HTTPS on port 443, not http-01 (which works with .well-known/acme-challenge).

It looks like there’s currently some misconfigured HTTPS server running on your domain (try connecting to https://www.valimmobilier.ch). It’s possible that this is interfering with Let’s Encrypt when it’s trying to setup the vhost for tls-sni-01. Do you have any existing SSL vhost, or something else that would interfere with port 443?


#5

Ok… www.valimmoblier.ch was listening on ANY port. Swtiched to 80 only and I got my cert.