Domain: www.ashish.com
Type: connection
Detail: Failed to connect to 69.172.201.153:443 for tls-sni-01
challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
PS - I have made virtual host on local www.ashish.com
it points to my local directory
I ran this command - sudo certbot --apache -d www.ashish.com
It produced this output: -
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.ashish.com
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.ashish.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 69.172.201.153:443 for tls-sni-01 challenge
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: www.ashish.com
Type: connection
Detail: Failed to connect to 69.172.201.153:443 for tls-sni-01
challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version): localhost
The operating system my web server runs on is (include version):Ubuntu 14.04.1 LTS
I suspect that because you do not have a certificate on your port 443 the connection is not established. I believe you need to have a working TLS connection on port 443 for the challenge to pass.
No, this is not correct. certbot --apache will reconfigure Apache to listen on port 443 to pass the TLS-SNI-01 challenge. You do not need to have an existing certificate of any kind.
However, certbot --apache does need to be able to be reconfigured by Certbot to start listening on port 443.
Open a TLS connection to the domain name being validated on the
requested port, presenting the value
"<Zi[0:32]>.<Zi[32:64]>.acme.invalid" in the SNI field (where the
comparison is case-insensitive).
So I was under the impression a working domain SSL binding would be needed to pass the challenge.
Are you saying certbot creates two bindings? One for the domain and for the acme.invalid?
Certbot creates the .acme.invalid cert. The Apache plugin itself does not create a binding for the subject domain name as part of the validation process.
Hi @ahaw021@schoen
Thanx for the replies , Actually i came to know that , We can,t generate certifinctes on local virtual hosts As i have made virtual host on my local machine for that domain and that domain doesn,t belong to me.
Is this the reason i was not able to generate certificates or i will check the things that you both were talking about ?
Of course, you need to own or at least control the domain to be able to issue a certificate for it. If we could issue certificates for domains that we don't own or control we could issue certs for google.com, paypal.com etc. which is insane