"Failed authorization procedure" error on tls-sni-01

Help
1

Hello. Having an issue with generating a new cert.

My domain is: bridgend.kier.co.uk

I ran this command: sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Which names would you like to activate HTTPS for?
1: bridgend.kier.co.uk
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):1
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for bridgend.kier.co.uk
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. bridgend.kier.co.uk (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: bridgend.kier.co.uk
    Type: connection
    Detail: Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I have generated SSL certs on two different servers with the Certbot before using the same command certbot --apache without any issues.
I also tried using the webroot but it returns a 403 Forbidden error on ./well-known/acme-challenge (I ran chmod 777 and chowned the directory recursively as well). But I would still prefer to run the auto certbot command for apache.

Thanks in advance.

2

You may have to enable SSL manually on Debian/Ubuntu to get things to work.

sudo a2enmod ssl
sudo service apache2 restart

Unfortunately the default web server configuration on many distributions blocks paths starting with a dot. You would need to find the offending Match directive and comment it out.

3

Thanks for the reply. I had already had SSL enabled. I restarted Apache again just in case but still no luck. Keep getting the same error.

I can upload the full Certbot log if needed.

4

Perhaps you have a firewall blocking port 443?

sudo ufw allow 443/tcp

And check with your ISP as well.

It might be helpful to temporarily enable the default SSL configuration with a self-signed certificate to test potential connectivity problems.

sudo apt-get install ssl-cert
sudo a2ensite default-ssl
sudo service apache2 reload

Then try adding https:// to your URL. You should then just get a certificate error instead of a connectivity error like we see now.

Otherwise, the debug log might indeed reveal something.

1 Like
5

Thanks a lot for your help. It did indeed turn out that port 443 was not even open on the firewall. It’s now been opened and a certificate was successfully generated!

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.