Errors when running standalone certbot-auto

I ran this command: ./certbot-auto certonly --standalone --email email@gmail.com -d example.com -d www.example.com with my information instead of the placeholders, and I get this error:

Failed authorization procedure. example.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 195.20.46.204:443 for TLS-SNI-01 challenge, www.example.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 195.20.46.204:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: example.com
   Type:   connection
   Detail: Failed to connect to 195.20.46.204:443 for TLS-SNI-01
   challenge

   Domain: www.example.com
   Type:   connection
   Detail: Failed to connect to 195.20.46.204:443 for TLS-SNI-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

What is the issue that is causing it to fail to connect?

Have you checked whether port 443 is firewalled off? If I try to connect to 195.20.46.204:443, I get a connection timeout.

I'm pretty sure that the ports are open. Just to make sure I checked correctly, tell me if this isn't what you meant.

I ran netstat -anp | less, and this is the output:

tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      403/mongod
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      448/mysqld
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      300/vsftpd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      399/sshd
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      13865/nodejs

The netstat output shows that the local machine thinks it is listening on those ports. However, it’s possible that some firewall outside your machine is blocking port 443. If you have different machine you can test from, try running

curl -k https://195.20.46.204:443/

Doesn’t that have the same effect as opening Chrome and typing in that URL? Also, I just want to clarify that https://195.20.46.204:443/ isn’t the URL of my server, but it seems like the URL of the domain registrar, as if you delete :443 and just try :80, then you will see it redirects to http://dot.tk, which is the TLD of my domain.

In that case, you might be looking at a DNS issue. The CA server got the IP address 195.20.46.204 when it asked your name server for the A record for your domain. Make sure that dig @your.name.server.example.com example.com A returns the correct IP address (you can use dig example.com NS to get the name server(s), and then check each of them.

1 Like

It would be really helpful if you can provide your domain name, since we can’t help you debug your DNS setup without it.

The domain name I’m trying this out with is ilanbiala.tk. @pfg what do you mean by making sure that dig ilanbiala.tk returns the correct IP address?

Your domain needs to resolve to the IP address of your server. It currently resolves to 195.20.46.204, which appears to be the IP address of your domain registrar’s website.

dig is a command-line tool you can use to query DNS records. If you’re on Windows, nslookup would provide similar features.

Typically your domain registrar has a control panel where you can change your name server or DNS records. In your case, you’d need to change the A record for ilanbiala.tk (and any other domain you want to use) to point to your own IP address instead of 195.20.46.204.

Ok, I updated the A record of my domain to resolve to my server’s IP and verified the change using dig ilanbiala.tk. What should I do now?

You should be able to run the original command you used successfully now. If the error does not change with the new IP address, you’re likely looking at some kind of firewall problem somewhere between your server and Let’s Encrypt (could be anything from iptables to your ISPs firewall).

Fixed the error and added a www A record as well and I was able to create the certificate. Thanks for the help.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.