Error at cert renewal, need help


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: sudo certbot certonly --agree-tos --rsa-key-size 4096 --renew-by-default -m postmaster@mydomain.com --standalone -d mail.mydomain.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mail.mydomain.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mail.mydomain.com (tls-sni-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mail.mydomain.com
    Type: connection
    Detail: Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): N/A. The letsencrypt SSL cert is on the email server (not Web server)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

Additional Info:
From /var/log/letsencrypt/letsencrypt.log -

2018-09-25 04:13:16,569:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {‘type’: ‘tls-alpn-01’, ‘status’: ‘pending’, ‘url’: 'https://acme-v02.api.letsencrypt.org/acme/c$
2018-09-25 04:13:19,573:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/acme/authz/SDmf5hX6wcPdcH52c-F3I5F1eydhonsRhJPfvYrd4Jk.
2018-09-25 04:13:19,690:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 “GET /acme/authz/SDmf5hX6wcPdcH52c-F3I5F1eydhonsRhJPfvYrd4Jk HTTP/1.1” 200 1570
2018-09-25 04:13:19,692:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1570
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 25 Sep 2018 11:13:19 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 25 Sep 2018 11:13:19 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “mail.mydomain.com
},
“status”: “invalid”,
“expires”: “2018-10-02T11:13:06Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/SDmf5hX6wcPdcH52c-F3I5F1eydhonsRhJPfvYrd4Jk/7658546445”,
“token”: “QoCGjQGKmAXHiuIyh-TrzLxWidCK9gGXDxIdLKVkP6w”
},
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/SDmf5hX6wcPdcH52c-F3I5F1eydhonsRhJPfvYrd4Jk/7658546446”,
“token”: “mzPI34JbC4p2ii4iTWVGsO1TTTWQze7NVwNooRDAt18”,
“validationRecord”: [
{
“hostname”: “mail.mydomain.com”,
“port”: “443”,
“addressesResolved”: [
“correct IP address here”
],
“addressUsed”: “correct IP address here”
}
]
},
{
“type”: “http-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/SDmf5hX6wcPdcH52c-F3I5F1eydhonsRhJPfvYrd4Jk/7658546447”,
“token”: “UIkQuaDSPJH0RRJEKASbsCTECJ8ux44aSkIZcpuG4IQ”
},
{
“type”: “tls-alpn-01”,
“status”: “invalid”,
“url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/SDmf5hX6wcPdcH52c-F3I5F1eydhonsRhJPfvYrd4Jk/7658546450”,
“token”: “oMczcv3rHATQR2GPXcOdt64ydFyk9mdzrpApcJr9RYs”
}
]
}
2018-09-25 04:13:19,693:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {‘type’: ‘tls-alpn-01’, ‘status’: ‘invalid’, ‘url’: 'https://acme-v02.api.letsencrypt.org/acme/c$
2018-09-25 04:13:19,695:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: mail.mydomain.com
Type: connection
Detail: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2018-09-25 04:13:19,696:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. mail.mydomain.com (tls-sni-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout during connect (likely firewall problem)

2018-09-25 04:13:19,697:DEBUG:certbot.error_handler:Calling registered functions
2018-09-25 04:13:19,697:INFO:certbot.auth_handler:Cleaning up challenges
2018-09-25 04:13:19,698:DEBUG:certbot.plugins.standalone:Stopping server at 0.0.0.0:443…
2018-09-25 04:13:19,978:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.26.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1364, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1254, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 115, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 305, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. mail.mydomain.com (tls-sni-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout during connect (likely firewall problem)

Additional Notes:
The firewall is set to log every drop and reject. kern.log shows nothing was dropped or rejected by the firewall at the time of the certbot error. Also tried temporarily disabling the firewall, with the same result. The server is reachable by users on public IP.


#2

Are you sure it’s reachable? I can’t access it on port 443, which Let’s Encrypt validation was using, or on port 80, or with ping. It all times out.

Are you sure every firewall allows it? The modem, router, and computer? Do they block some ISPs?


#3

Well found the root cause … port forwarding on the router! Renewed.

Perhaps you could add that hint to the letsencrypt error message so that others stuck here don’t spend hours debugging the firewall. :slight_smile:

Thanks!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.