Failed conection tls-sn1-01

Good afternoon!

When you create a certificate you are returning the error:

I ran the test and the 443 connection is responding, DNS also responds to the correct IP, until I’ve temporarily disabled the Firewall for testing and did not succeed.
Have you ever gotten a bug like this?
Hug!

Carlos Eduardo.

Hi @carlos.eduardo,

Can you tell us what the specific error message was, and what software you were using? Normally when you create a Help topic, there is a list of questions about these details, and it would be helpful to have all of this information.

I’m also speculating that Portuguese is your native language and I’m happy to read and write in Portuguese if it would be easier for you.

Hello @schoen
Actually my native language is portuguese, I asked the question in English, noting that most of the users are speaking in English and it would be quicker to get help to solve the problem.

I’m trying to get a certificate for my sub-domain.
My main domain today does not have https because it does not have a website.
Attempting to obtain the certificate the following error occurs:

Failed authorization procedure. (Tls-sni-01): urn: acme: error: connection :: The server could not connect to the client to verify the domain :: Failed to connect to myip: 443 for tls-sni- 01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: xxx.yourdomain.com
    Type: connection
    Detail: Failed to connect to myip: 443 for tls-sni-01
    Challenge

    To fix these errors, please make sure your domain name was
    Entered correctly and the DNS A record (s) for that domain
    Contain (s) the right IP address. Additionally, please check that
    Your computer has a publicly routable IP address
    Firewalls are preventing the server from communicating with the
    Client. If you’re using the webroot plugin, you should also verify
    That you are serving files from the webroot path you provided.

I am using Linux in Ubuntu version 16.04 with apache for web server.

Thank you!

Hi @carlos.eduardo,

I would still like to know the details that I mentioned before. When you originally create a Help topic, you should see the following:

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Also, you said

What software is listening to port 443, and what kind of test did you do?

Hi @schoen

I would still like to know the details that I mentioned before. When you originally create a Help topic, you should see the following:

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: netstat -a | egrep ‘Proto|LISTEN’ and ss -tlnp

It produced this output: 7930,fd=4),(“apache2”,pid=47929,fd=4),(“apache2”,pid=47926,fd=4))
LISTEN 0 128 :::443 and tcp6 0 0 [::]:https [::]:* LISTEN

My web server is (include version): Apache 2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: No

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I tested using the telnet command.

Another question.
The IP of my site is shared with another site, however both are inside a DMZ, which does a NAT for the external address and are without different servers.
Could this be the problem?
For when accessing the xxx.domain.com it “redirects” to an internal ip in the type Class C 192.168.5.xxx

Thanks for filling this in. “I ran this command” is supposed to mean “In order to request the certificate, I ran this command”, for example what Certbot command you ran.

Certbot will do quite different things depending on how you use it, so that’s an important part of the question.

@carlos.eduardo, in terms of the NAT, the externally-visible TCP port 443 needs to be redirected to port 443 of the machine where you’re running Certbot, in order to pass the TLS-SNI-01 challenge. If the public port 443 is redirected to a different port or to a different machine, the TLS-SNI-01 challenge won’t succeed with Certbot’s default behavior.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.