Failed authorization procedure. domain.com (tls-sni-01): The server could not connect to the client to verify the domain

Hey guys, I'm trying to renew my certificate with new domains, but I'm getting an error.
ps: I tried with --staging and it worked.

My domains are: sias.branet.com.br, mail.branet.com.br, mail.[others].com.br

I ran this command:

letsencrypt certonly --cert-name cert -d sias.branet.com.br,mail.branet.com.br,mail.meistercontabilidade.com.br,mail.branetlogistica.com.br,mail.osd.com.br --renew-with-new-domains

AND

certbot certonly --cert-name cert -d sias.branet.com.br,mail.branet.com.br,mail.meistercontabilidade.com.br,mail.branetlogistica.com.br,mail.osd.com.br --renew-with-new-domains

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/cert.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.branet.com.br
http-01 challenge for mail.branetlogistica.com.br
http-01 challenge for mail.meistercontabilidade.com.br
http-01 challenge for mail.osd.com.br
tls-sni-01 challenge for sias.branet.com.br
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. sias.branet.com.br (tls-sni-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: sias.branet.com.br
   Type:   connection
   Detail: Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I want to use the certificate on Tomcat 7.0.54.
SO: CentOS 7.
I am [g]root.

What am I doing wrong?

Thank you already.

Hi @mateusscheper

when you tried that, did certbot used tls-sni-01 challenge for sias.branet.com.br? Or http-01?

Perhaps add

--standalone --preferred-challenges http

so that only http-01 is used.

It went straight to tls. I’ll try your suggestion.
BTW, is there a way to see how many attempts I already failed? I don’t want to get blocked like yesterday…

There is only one certificate sias.branet.com.br - created 2018-05-23.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:sias.branet.com.br&lu=cert_search

So you didn't hit the Duplicate Certificate Limit (5 per week), because the creation didn't work.

So that limit

There is a Failed Validation limit of 5 failures per account, per hostname, per hour.

may be the problem. But this isn't so critical. One hour later, it's gone.

It worked. Thank you, Sir.
I added the --preferred-challenges http.
Here, a cookie for you:
Cya!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.