ERROR: The server could not connect to the client to verify the domain


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: saveherfromdreams.com

I ran this command: sudo certbot certonly --standalone -d saveherfromdreams.com

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for saveherfromdreams.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. saveherfromdreams.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://saveherfromdreams.com/.well-known/acme-challenge/aH74OiT6lzUMcwCyNjKraV53ePvSnUlqNhEstoAyCbU: Timeout after connect (your server may be slow or overloaded)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: saveherfromdreams.com
    Type: connection
    Detail: Fetching
    http://saveherfromdreams.com/.well-known/acme-challenge/aH74OiT6lzUMcwCyNjKraV53ePvSnUlqNhEstoAyCbU:
    Timeout after connect (your server may be slow or overloaded)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): node.js server

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: AWS EC2

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Your domain’s IPv6 address is not accessible on the network.

EXPLANATION:
saveherfromdreams.com has an AAAA (IPv6) record (2406:da14:7b1:e700:50bd:367c:ac44:3f9a) but a test ACME validation request over port 80 has revealed problems. Let’s Encrypt will prefer to use AAAA records, if present, and will not fall back to IPv4 records. You should either ensure that validation requests succeed over IPv6, or remove its AAAA record.
DETAIL:
Get http://saveherfromdreams.com/.well-known/acme-challenge/letsdebug-test: context deadline exceeded


#5

Say @_az, what’s letsdebug? Have you started implementing something like the tool that was proposed here a while ago that provides a more detailed analysis of why validations might be failing?


#6

Something like that. It’s probably a couple of weekends away from being ready but you can spy on it here.


#7

That’s exciting! I may take a look at it and propose other possible tests.

I bet this will be a huge help for people who are having trouble getting certificates.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.