It’s weird, dl.eff.org's certificate chains to Comodo, I would have guessed it was trusted on pretty much literally everything. And it serves the same certificate with or without SNI. I haven’t checked Debian 7, but I’d be shocked if the applicable roots weren’t included.
Maybe the connection actually is being MITMed.
@aleon, can wget download from other HTTPS sites? Does, say, curl work? Is the ca-certificates package installed? Could you have disabled the Comodo roots after one of their security incidents, maybe around 2008? Is there some corporate/enterprise/government MITM/proxy device on the network intercepting connections? Can you get more information about what certificate is being served?
E.g. with “openssl s_client -connect dl.eff.org:443 -servername dl.eff.org </dev/null | openssl x509 -noout -text”. Or something less clumsy if possible.
Thanks for input, I am not sure why certificate is not trusted if that the case here for me, but as I am testing the install am not too concerned.
To answer you question about wget download, i was able to download nano editor form https: url fine.
I will check some more on your other points when finished with what I have todo, but thank you for input.
Not sure if I am allowed to continue with this post or open another, using the option --no-check-certificate allows me to download and then install certbot…
but I am not able to get certbot to verify the domain even though port 80/443 are open and the domain record pings/resolves ok from different locations.
This is my VH conf file for the domain I am trying to create an ssl cert using certbot
Type: connection
Detail: Error getting validation data
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Cleaning up challenges
FailedChallenges: Failed authorization procedure. my-domain---something.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data
At this point, I would make a new topic with this, and complete the suggested form information on the “Help” topic. You’ll get more traction there, and the form information helps save everyone’s time.
It’s difficult to debug this issue without knowing the domain name in question. The validation server is unable to contact your server at all, so it’s unlikely your virtual host setup is the problem.
I decided to try this again on another similar webserver and certbot is now applying LE SSL certificates to the sites I have setup. All http sites now redirect to https fine!
I just need to look at the .conf files for each site and ensure they are correct, have also found out from testing I need to ensure my default-ssl.conf file exist and properly configured.
The firewall is correct, so everyone is aware, this was not the problem.
The other thing to highlight here is original server was on Deb 7/Apache & test webserver is Deb9/Apache, so not a true like for like but the folder structure i have kept the same on test server for comparison.
I think this post can now be closed, as I just wanted help in getting certbot working, understanding the issues, troubleshooting and getting working setup, before starting roll out of ssl to production sites soon.