Failed authorization procedure. schematics.athion.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge IMPORTANT NOTES: - The following 'urn:acme:


#1

The command ran

./letsencrypt-auto --apache

The Backstory

This was run on a server where it was enabled on the domain schematics.athion.net then shortly afterwards I decided it would be a great idea to enable it on nixc.us so that I could setup a URL shortener on there. This caused a bunch of tangled web to end up in the server which I figured I was confident in LetsEncrypt stuff enough to manage but apparently not.

I now that I’ve reached a point where I think that I’ve completely uninstalled LetsEncrypt so that I can install it again fresh it seems to not want to issue me any more certificates with the following error. There is also zero official documentation on how to uninstall LetsEncrypt cleanly from your apache installation.

Output

Failed authorization procedure. schematics.athion.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

IMPORTANT NOTES:
 - The following 'urn:acme:error:connection' errors were reported by
   the server:

   Domains: schematics.athion.net
   Error: The server could not connect to the client to verify the
   domain

The client lacks sufficient authorization on subdomains
There seems to be no real documentation on how to uninstall the LetsEncrypt software and all of its changes entirely
#2

Your server appears to be serving HTTP on port 443 (not HTTPS). This will prevent the client from changing your apache config to solve the tls-sni-01 challenge. Make sure you don’t have any misconfigured vhosts from your previous installation or anything similar.


#3

Thats really bizarre I’ve cleared out all of the vhost configurations that referenced anything to do with https/443

Vhost config

root@schematics:/etc/apache2/sites-enabled# cat 000-default.conf
<VirtualHost schematics.athion.net:80>
        ServerName schematics.athion.net
        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

List of enabled sites

root@schematics:/etc/apache2/sites-enabled# ls -lAh
total 0
lrwxrwxrwx 1 root root 35 Oct 26 15:40 000-default.conf -> ../sites-available/000-default.conf

#4

You can use netstat -tulpn | grep :443 to verify apache is listening on port 443.

Take a look at all other configuration files and look for anything that might cause apache to serve HTTP on port 443, i.e. apache2.conf, conf.d/*, mods-enabled/*, conf-enabled, etc.


#5

I had rooted through the other apache configs in /etc/apache2/*/ after you mentioned it for any mention of 443 and 80 and the only configurations that made mention to it was in /etc/apache2/sites-[enabled/available]/*.conf

Seems its back to where I was before I spaghettified my apache install.

It seems that I just can’t verify this site with the 000-default.conf set to <VirtualHost schematics.athion.net:80> I actually have to set it to <VirtualHost *:80> which is probably why installing the certificate for nixc.us failed. I’m not really 100% certain why this is messing up.

##The working config that LE generated
root@schematics:/etc/apache2/sites-enabled# cat 000-default.conf
*<VirtualHost :80>
ServerName schematics.athion.net
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

        <Directory /var/www/html/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,QSA,R=permanent]
</VirtualHost>

Edit Clarity