Error: Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge

Hello,
I have debian 7 and apache and I manage the server myself, I tried to get and install a certificate with the command

Path / to / certbot-auto --apache

but I got the following error:

Failed authorization procedure. xxxxx.dz (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: xxxxx.dz
    Type: connection
    Detail: Failed to connect to x.x.x.x:443 for TLS-SNI-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

can you help me solve this problem?

Hi @pipa_85,

Are you sure that the public is really able to connect directly from the Internet to port 443 of your server?

Thank you for the reply. No, they can’t, me too, I can’t even from intranet. In reality, this is the first time I try to use https so I have only applied the instructions given here, I didn’t do anything else befor. Can you help me ?

hi @pipa_85

the apache plugin allows verification via port 443 only

there is also a DNS challenge and HTTP challenge however you may want to split out the installer and authenticator

Andrei

The manager of our network didn’t block port 443 in the firewall, the proof of this is that I downloaded certbot with this method:
wget https://dl.eff.org/certbot-auto

I don’t really understand this problem, normally, it is after creating
certificates that you can use port 443 but the certificates are not
created (there is no directory / etc / letsencrypt / live) why Then access the server with this port?
In the apache log, I have these warnings :
Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist (maby because the tls-sni-01 challenge failed)
[warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[warn] RSA server certificate CommonName (CN) `dummy’ does NOT match server name!?

hi @pipa_85

you are going to need to share your domain name

The manager of our network didn't block port 443 in the firewall, the proof of this is that I downloaded certbot with this method:
wget https://dl.eff.org/certbot-auto

there is a difference between blocking outbound and inbound connections on a firewall

it may be that your server is listening on HTTPS (port 443) and certbot is not able to use it to server up what is needed

Andrei

The network manager showed me the configuration of the firewall and I saw this rule:
WAN to mywebsite.dz and I saw next to this rule http and https

I activated the ssl with this command “a2enmod ssl” I didn’t know that I have to activate it, I thought that it is enough to have openssl installed. Now, from the intranet, when I type the local IP address of the server with port 443 (xxxx: 443) it displays the default page of apache (It works!). But outside (from the internet), when I type the public IP address of the server with port 443 (xxxx: 443) It says that the site is inaccessible

Does that means it’s the firewall the problem?
thank you for your help

@pipa_85

at this stage i am going to tap out and not offer anymore assistance

if you review other posts that we worked on we were able to help customers who provided us their domain names by checking things such as is the HTTPS port open etc

the lack of ssl connectivity could be a firewall or a server problem

But as I said if you are not able to provide the information needed for troubleshooting then you should be able to troubleshoot it yourself

you can’t not know how to troubleshoot an issue and then deny the information to those who can and want to help you - in my humble opinion

Andrei

for your review as an example: Let's encrypt + vpssim

Andrei

Here is my domain:

elearning.univ-bejaia.dz

can you please help me

I don’t have much experience in system administration that’s why I avoid giving too much information

People are reporting the same issue when using traefik:

@cpu @jsha
Sorry for summoning you, but this seems like a critical issue

Thanks for letting us know. Looking now.

Looks like there was indeed an issue, but ours Ops team had already fixed it by the time I checked in. They’ve fixed it now and posted a retroactive entry on our status page: https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/58d3fe1cee7b84fc2f002092.

In short, we enabled some new firewall rules filtering outbound traffic, but they were too aggressive, so we turned them back off.

2 Likes

@pipa_85, does this work any better for you now that these fixes have been made?

Thank you all for the replys, unfortunately I can’t check now because the network manager has blocked ssh access from outside the local network and I forgot to tell him to activate it for me and I don’t work on Friday and Saturday (weekend). I will let you know this sunday

Seems your site can be reached through HTTPS (port 443) now. It shows an invalid certificate, but that's OK: you were here to get a valid certificate in the first place, so we'll need to work on that :wink:

You might want to try the original command again next sunday: perhaps it works now :slight_smile:

Yes you’re right, when I enter https://elearning.univ-bejaia.dz in firefox, it shows this (in french for me):

The owners of elearning.univ-bejaia.dz have misconfigured their website. To prevent your data from being stolen, Firefox has not connected to this website.
Elearning.univ-bejaia.dz uses an invalid security certificate.
… etc

Yes, I want to run again this command next Sunday and I hope it will work

Hi Pipa, Try to shoot down the Apache server and execute the certificate installation may be this helps.
After installation of the certificate, start the Apache server again port 443 should be open before you install.

Hello,
I apologize in advance for the length of the message
I have run today the same command (Path / to / certbot-auto --apache ) but the error has changed:

Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter ‘c’ to cancel):1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for elearning.univ-bejaia.dz
Waiting for verification…
Cleaning up challenges
Failed authorization
procedure. elearning.univ-bejaia.dz (tls-sni-01):
urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01
challenge. Requested
f295c7a99a7e28b45bea937b29efa440.6e11c1e1716cfddaf213375d167408c3.acme.invalid
from 193.194.94.10:443. Received 1 certificate(s), first certificate
had names “fv-3kd3r14800074”

IMPORTANT NOTES:

  • The following errors were reported by the server:
    Domain: elearning.univ-bejaia.dz
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested f295c7a99a7e28b45bea937b29efa440.6e11c1e1716cfddaf213375d167408c3.acme.invalid
    from 193.194.94.10:443. Received 1 certificate(s), first
    certificate had names “fv-3kd3r14800074”

To fix these errors, please make sure that your domain name was entered correctly
and the DNS A record(s) for that domain contain(s) the right IP address.

I had the same error even after turning off apache. To check that port 443 is open I have run these two commands
nmap -sT -O localhost

Starting Nmap 6.00 ( http://nmap.org ) at 2017-03-26 09:00 CET
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000024s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https

And

netstat -plnt
Connexions Internet actives (seulement serveurs)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat PID/Program name
tcp 0 0 0.0.0.0:60485 0.0.0.0:* LISTEN 2216/rpc.statd
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 3169/mysqld
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2563/smbd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 2175/rpcbind
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2734/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4464/exim4
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2563/smbd
tcp6 0 0 :::139 :::* LISTEN 2563/smbd
tcp6 0 0 :::111 :::* LISTEN 2175/rpcbind
tcp6 0 0 :::80 :::* LISTEN 7785/apache2
tcp6 0 0 :::22 :::* LISTEN 2734/sshd
tcp6 0 0 ::1:25 :::* LISTEN 4464/exim4
tcp6 0 0 :::443 :::* LISTEN 7785/apache2

To check the DNS A record I have run this command:
nslookup elearning.univ-bejaia.dz

In addition to the two files “default” and “default-ssl” In /etc/apache/sites-availables there is the same file in /etc/apache/sites-availables and
in /etc/apache/sites-enabled containing the following lines:

<VirtualHost *:80>
VirtualHost *:80
ServerName elearning.univ-bejaia.dz
ServerAdmin xxxxxx@univ-bejaia.dz
DocumentRoot /var/www/xxx/
ErrorLog /var/log/apache2/xxx_error.log
CustomLog /var/log/apache2/xxx_access.log combined
/VirtualHost

I don’t know what to do, I will do research on this error

PS: the name of my machine obtained with the hostname command is not the same as the domain name

I am waiting for your help

Thank you