Error:connection :: The server could not connect to the client to verify the domain :: Fetching

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mydomain.com

I ran this command: certbot renew

It produced this output: root@hostname:/etc/apache2/sites-available# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/lists.mydomain.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lists.mydomain.com
http-01 challenge for webmail.mydomain.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (lists.mydomain.com) from /etc/letsencrypt/renewal/lists.mydomain.com.conf produced an unexpected error: Failed authorization procedure. lists.mydomain.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://lists.mydomain.com/.well-known/acme-challenge/a5kAk7x_p8uZaRi1zMD2g6Adpa-T8oWyIiuR0lr77N8: Connection refused, webmail.mydomain.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://webmail.mydomain.com/.well-known/acme-challenge/fGYow8y1MMpq-Wk785awm9qu28kuBxj8yXlGO5L_sh0: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lists.mydomain.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/lists.mydomain.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): /usr/sbin/apache2 -v
Server version: Apache/2.4.25 (Univention)
Server built: 2019-08-27T07:00:50

The operating system my web server runs on is (include version): root@hostname:/etc/apache2/sites-available# cat /etc/lsb_release -a
cat: invalid option – ‘a’
Try ‘cat --help’ for more information.
root@hostname:/etc/apache2/sites-available# lsb_release -a
No LSB modules are available.
Distributor ID: Univention
Description: Univention Corporate Server 4.4-2 errata298 (Blumenthal)
Release: 4.4-2 errata298
Codename: Blumenthal
root@hostname:/etc/apache2/sites-available# cat /etc/os-release
PRETTY_NAME=“Debian GNU/Linux 9 (stretch)”
NAME=“Debian GNU/Linux”
VERSION_ID=“9”
VERSION=“9 (stretch)”
VERSION_CODENAME=stretch
ID=debian
HOME_URL=“https://www.debian.org/”
SUPPORT_URL=“https://www.debian.org/support”
BUG_REPORT_URL=“https://bugs.debian.org/”
root@hostname:/etc/apache2/sites-available# uname -r
4.9.0-11-amd64

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): root@hostname:/etc/apache2/sites-available# certbot --version
certbot 0.28.0

certbot.errors.FailedChallenges: Failed authorization procedure. lists.mydomain.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://lists.mydomain.com/.well-known/acme-challenge/a5kAk7x_p8uZaRi1zMD2g6Adpa-T8oWyIiuR0lr77N8: Connection refused, webmail.mydomain.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://webmail.mydomain.com/.well-known/acme-challenge/fGYow8y1MMpq-Wk785awm9qu28kuBxj8yXlGO5L_sh0: Connection refused

2

Hi @taxiarxos

please share your domain name.

And read some basics:

An open port 80 is required to use http validation. Your error says: You don’t have a working port 80.

1 Like
3

Hello Juergen,

Thank you very much for your quick response. I am waiting confirmation from our DPO/GDPR Advisor before post the real domain name.

Regarding this: An open port 80 is required to use http validation. Your error says: You don’t have a working port 80.

I am testing from outside towards to our web/mail server and the ports 80/443 are open.

I do:

telnet mydomain.com 80
telnet mydomain.com 443
telnet lists.mydomain.com 80
telnet lists.mydomain.com 443
telnet webmail.mydomain.com 80
telnet webmail.mydomain.com 443

Could you please verify the direction of validation required to renew the certificate?

4

We just double checked the ports and firewall rules and all looks like working fine. The problem seems like to be with the tokens generation which aren’t created into directory /.well-known/acme-challenge/

We are able to see only the old tokens.

Could you please help us?

5

lists.mydomain.com
image

webmail.mydomain.com
image

We have checked the permissions on both directories and they are the same…

Still looking for a solution… Looks like the new tokens aren’t able to get created.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.