Failed authorization procedure - Ubuntu 14.04, Apache

luketheterrible · July 15, 2016, 4:32pm

Hey everybody! I have an odd one.

I have multiple domains pointed to the same server and am using vhosts to deliver up the appropriate content. I started with sub1.domain.com. The vhost file for that site is as follows:

<VirtualHost $myIP:443>
        ServerName sub1.domain.com
        DocumentRoot /var/www/html
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/sub1.domain.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/sub1.domain.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/sub1.domain.com/chain.pem
</VirtualHost>

I was able to use Certbot to create the cert with no issues.

I also have sub2.domain.com. It is the same root domain as sub1. It’s registered at the same registrar and pointed at the same server. The vhost file for sub2 is as follows:

<VirtualHost $myIP:443>
        ServerName sub2.domain.com
        DocumentRoot /var/www/html
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/sub2.domain.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/sub2.domain.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/sub2.domain.com/chain.pem
</VirtualHost>

However, when I run:

./certbot-auto --apache certonly -d sub2.domain.com

I receive the following error:

Failed authorization procedure. sub2.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to $myIP:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: sub2.domain.com
   Type:   connection
   Detail: Failed to connect to $myIP:443 for TLS-SNI-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I’ve checked all of my apache .conf files and googled everything I can think of. Can you guys help me troubleshoot this one?

Thank you!

pfg · July 15, 2016, 11:43pm

Just to clarify, this new <VirtualHost> already exists and is enabled, and it has a SSLCertificateFile /etc/letsencrypt/live/sub2.domain.com/cert.pem directive? Does the file it points to exist, and is it a valid certificate (and for the other directives: private key, chain, etc.)? Otherwise, I can see apache failing to start or break in unexpected ways while the apache plugin does its thing. Maybe there’s a clue somewhere in your apache error logs.

As a workaround, and since you’re already using certbot in certonly mode anyway, I would look into using the webroot plugin instead, in case you don’t get anywhere with this.

luketheterrible · July 18, 2016, 3:24pm

Hey @pfg,

That fixed it!

The virtualhost was set up properly, but I forgot my .htaccess was FORCING https. I disabled that, and ran the following:

./certbot-auto certonly --webroot -w /var/www/html -d sub2.domain.com

Everything works now! Thank you so much!!

system · August 17, 2016, 3:24pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.