Failed authorization procedure with Apache 2.4 on CentOS 6.9

Howdy folks, hoping someone can help me get past this error. My overall goal is to setup Nextcloud in cloud.s3rvant.ch with Collabora in colab.s3rvant.ch and then normal web space at s3rvant.ch with www forwarding to the bare domain. I had nearly completed all this when I got stuck finishing up Collabora as CentOS 6 defaults to apache 2.2. I started over in order to work with Apache 2.4, but now am getting the below error when attempting to use certbot. Fairly certain the issue is related to the Apache path as its using:
/opt/rh/httpd24/root/etc/httpd/conf.d

Certbot didn’t see the conf files until I passed the additional subcommands as listed below, but even then it fails to complete authorization.

Any help getting the certificate created/installed would be much appreciated, even if that means starting from scratch (haven’t yet migrated anything to this server).

Please fill out the fields below so we can help you better.

My domain is:
s3rvant.ch

I ran this command:
./certbot-auto --apache --apache-server-root /opt/rh/httpd24/root/etc/httpd --apache-vhost-root /opt/rh/httpd24/root/etc/httpd/conf.d --apache-logs-root /opt/rh/httpd24/root/var/log/httpd --apache-challenge-location /opt/rh/httpd24/root/etc/httpd

It produced this output:
Performing the following challenges:
tls-sni-01 challenge for s3rvant.ch
tls-sni-01 challenge for cloud.s3rvant.ch
tls-sni-01 challenge for colab.s3rvant.ch
tls-sni-01 challenge for www.s3rvant.ch
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. s3rvant.ch (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 185.60.146.190:443 for tls-sni-01 challenge, colab.s3rvant.ch (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 185.60.146.190:443 for tls-sni-01 challenge, cloud.s3rvant.ch (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 185.60.146.190:443 for tls-sni-01 challenge, www.s3rvant.ch (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 185.60.146.190:443 for tls-sni-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: s3rvant.ch
    Type: connection
    Detail: Failed to connect to 185.60.146.190:443 for tls-sni-01
    challenge

    Domain: colab.s3rvant.ch
    Type: connection
    Detail: Failed to connect to 185.60.146.190:443 for tls-sni-01
    challenge

    Domain: cloud.s3rvant.ch
    Type: connection
    Detail: Failed to connect to 185.60.146.190:443 for tls-sni-01
    challenge

    Domain: www.s3rvant.ch
    Type: connection
    Detail: Failed to connect to 185.60.146.190:443 for tls-sni-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My operating system is (include version):
CentOS 6.9

My web server is (include version):
Apache 2.4 specifically installed via: https://www.server-world.info/en/note?os=CentOS_6&p=httpd24

My hosting provider, if applicable, is:
VPS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

It looks like your in a "chicken and egg" situation...
You are trying to get an SSL cert from your site via SSL - but the site doesn't have SSL (yet).
Try validating using HTTP instead.

In a previous attempt I had completed certbot and opted to require https. Since then I had formatted the server and started over, however it still redirects to https when using the domain name; IP address can still be used via http. Not sure how I would go about undoing that requirement or how to tell certbot to validate via http.

try disabling the https redirection - just comment those line for now

In another thread it was pointed out that the TLS-SNI-01 challenge with the Certbot Apache plugin does not actually require your Apache to be serving HTTPS yet. The Certbot Apache plugin would add a new HTTPS virtual host which can complete the validation.

However, the server does need to be able to listen on port 443. It's true that if the existing Apache configuration is broken in some way that would actually prevent Apache from listening on that port, or if there's a firewall or something blocking inbound connections, then this validation method might not work.

try disabling the https redirection - just comment those line for now

Formatted server and started over, this time building Apache 2.4.25 from source. Noticed that HTTP is redirecting to HTTPS already without having set any SSL settings yet. I don't have any DNS or other redirects in place, so not sure why its redirecting to HTTPS. Accessing HTTP using IP address works fine. Tested again using Apache 2.2 installed via yum and had same result.

Any idea what could be causing the redirect on a fresh install? Is there some way for previously successful certbot install to have lingering affect like this?

Hi @s3rvant,

Yes, the redirection is caused by your own browser.

Maybe you used the option --hsts manually or interactively that adds the Strict-Transport-Security header to apache. Once the browser reachs your https website it sees this header and always will try to connect to your site in its https version.

So, clean your browser cache or use anothe browser (clean) install to check that this is the issue.

Cheers,
sahsanu

clean your browser cache

Ah, that makes sense, thanks. Will continue tinkering.

Never did figure out how to solve issue on CentOS 6. Ended up asking my VPS provider to add option to use CentOS 7 which they did and was then able to setup subdomains with SSL without issue.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.