Error with nginx

bpollet · February 4, 2016, 8:29am

I have a raspberry pi (Rasbian)
port 443 is open, have two different site on my raspberry configured with nginx virtual host site-available files

I’m running this:
sudo /etc/init.d/nginx stop
sudo ./letsencrypt-auto certonly --standalaon -d sauvtag.com -d www.sauvtag.com

I am getting this below error:

Failed authorization procedure. sauvtag.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge, www.sauvtag.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

IMPORTANT NOTES:

The following ‘urn:acme:error:connection’ errors were reported by
the server:

Domains: sauvtag.com,
Type: urn:acme:error:connection
Error: Failed to connect to host for DVSNI challenge

Does anyone can help?

pfg · February 4, 2016, 8:42am

You have a typo here, but I assume that's just here because the client would probably complain about an unknown flag.

Take a look at the log files in /var/log/letsencrypt/, there might be more detailed error messages in there. You could also run the client with -v to get even more detailed output.

I would also recommend verifying that port 443 is actually reachable from an external IP (some ISPs block those ports). Tor Browsers works as a quick way to test that.

bpollet · February 4, 2016, 9:05am

I’m sorry , i was not able to copy/paste the script I really ran, but it was “standalone” of course.

Port 443 seems to be reachable.

...
2016-02-04 08:14:18,688:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1110', 'Expires': 'Thu, 04 Feb 2016 08:14:18 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 04 Feb 2016 08:14:18 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'olfh1y2Wvqp8EVdcfM8_sVKKs9r5pwdQsedUS2mykyI'}. Content: '{"identifier":{"type":"dns","value":"www.sauvtag.com"},"status":"invalid","expires":"2016-02-11T08:14:07Z","challenges":[{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/rGxKUFoDK7f5c4uztXc-PEKFOMdvN9GBDW9IjUo-lvQ/13926112","token":"mKrAWt0Hmm8n9XvBUZZHo2Ae513aGpDmzeat-hwfg1M"},{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/rGxKUFoDK7f5c4uztXc-PEKFOMdvN9GBDW9IjUo-lvQ/13926113","token":"wqZF4ZhzhHqETptQq-JzKsXvwPcGAVUsSAfoaMKHUzs"},{"type":"tls-sni-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"Failed to connect to host for DVSNI challenge"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/rGxKUFoDK7f5c4uztXc-PEKFOMdvN9GBDW9IjUo-lvQ/13926114","token":"R9XYSRv8pZq8hZfrWR08uB48GnkZZzPyzWF_i-W7B0c","keyAuthorization":"R9XYSRv8pZq8hZfrWR08uB48GnkZZzPyzWF_i-W7B0c.INpa_xtdrWy3QzjsWTyU_4wMF2LdDXe8QENslWnA7C8","validationRecord":[{"hostname":"www.sauvtag.com","port":"443","addressesResolved":["88.179.78.63"],"addressUsed":"88.179.78.63"}]}],"combinations":[[0],[2],[1]]}'
2016-02-04 08:14:18,699:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1110', 'Expires': 'Thu, 04 Feb 2016 08:14:18 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 04 Feb 2016 08:14:18 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'olfh1y2Wvqp8EVdcfM8_sVKKs9r5pwdQsedUS2mykyI'}): '{"identifier":{"type":"dns","value":"www.sauvtag.com"},"status":"invalid","expires":"2016-02-11T08:14:07Z","challenges":[{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/rGxKUFoDK7f5c4uztXc-PEKFOMdvN9GBDW9IjUo-lvQ/13926112","token":"mKrAWt0Hmm8n9XvBUZZHo2Ae513aGpDmzeat-hwfg1M"},{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/rGxKUFoDK7f5c4uztXc-PEKFOMdvN9GBDW9IjUo-lvQ/13926113","token":"wqZF4ZhzhHqETptQq-JzKsXvwPcGAVUsSAfoaMKHUzs"},{"type":"tls-sni-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"Failed to connect to host for DVSNI challenge"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/rGxKUFoDK7f5c4uztXc-PEKFOMdvN9GBDW9IjUo-lvQ/13926114","token":"R9XYSRv8pZq8hZfrWR08uB48GnkZZzPyzWF_i-W7B0c","keyAuthorization":"R9XYSRv8pZq8hZfrWR08uB48GnkZZzPyzWF_i-W7B0c.INpa_xtdrWy3QzjsWTyU_4wMF2LdDXe8QENslWnA7C8","validationRecord":[{"hostname":"www.sauvtag.com","port":"443","addressesResolved":["88.179.78.63"],"addressUsed":"88.179.78.63"}]}],"combinations":[[0],[2],[1]]}'
2016-02-04 08:14:18,710:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'wqZF4ZhzhHqETptQq-JzKsXvwPcGAV
...

allo · February 6, 2016, 2:12pm

does with nginx mean, that nginx is running? Then use the webroot method instead.

bpollet · February 6, 2016, 2:42pm

Hi PFG was right, my 443 port was not reachable…
I’m sorry.
It works perfectly now.

Letsencrypt is great!

Thanks!