"Failed to connect" errors, though the site is available on port 443


#1

Hi, I’ve searched high and low and can’t seem to find a solution.

2016-12-25 02:07:39,172:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:

Domain: home.parabiosis.net
Type: connection
Detail: Failed to connect to 210.84.63.43:443 for TLS-SNI-01 challenge

http://home.parabiosis.net:443 loads fine for me, from external networks too.
The is-it-down-for-everyone page says it’s up.
I ran “letsencrypt --debug” and it generated the following on the error log:

2016-12-25 02:10:53,968:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-12-25 02:10:53,968:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-12-25 02:10:53,969:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
2016-12-25 02:10:53,969:DEBUG:letsencrypt.cli:Arguments: [’–debug’]
2016-12-25 02:10:53,969:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-12-25 02:10:53,973:DEBUG:letsencrypt.cli:Requested authenticator None and installer None
2016-12-25 02:10:54,195:DEBUG:letsencrypt.display.ops:Single candidate plugin: * apache
Description: Apache Web Server - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = letsencrypt_apache.configurator:ApacheConfigurator
Initialized: <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7f213e49e990>
Prep: True
2016-12-25 02:10:54,196:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7f213e49e990> and installer <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7f213e49e990>
2016-12-25 02:10:55,770:DEBUG:letsencrypt.cli:Picked account: <Account(29568edee67df43431a2abd22b6e6e5c)>
2016-12-25 02:10:55,772:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-12-25 02:10:55,776:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-12-25 02:10:59,361:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 280
2016-12-25 02:10:59,364:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Sun, 25 Dec 2016 02:10:59 GMT’, ‘Boulder-Request-Id’: ‘jhVZTFoBGLWxYZIr9imbbnmarK3TWQtdvvOvUMU_p9I’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sun, 25 Dec 2016 02:10:59 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘KkXr7UPt-PpdC0YUX3CJcszQ5asXvhLimaMT9RFLvi0’}. Content: '{\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}‘
2016-12-25 02:10:59,364:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘280’, ‘Expires’: ‘Sun, 25 Dec 2016 02:10:59 GMT’, ‘Boulder-Request-Id’: ‘jhVZTFoBGLWxYZIr9imbbnmarK3TWQtdvvOvUMU_p9I’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sun, 25 Dec 2016 02:10:59 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘KkXr7UPt-PpdC0YUX3CJcszQ5asXvhLimaMT9RFLvi0’}): ‘{\n “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”,\n “new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”,\n “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”,\n “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert”\n}‘
2016-12-25 02:10:59,399:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0040_key-letsencrypt.pem
2016-12-25 02:10:59,404:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0040_csr-letsencrypt.pem
2016-12-25 02:10:59,405:DEBUG:letsencrypt.client:CSR: CSR(file=’/etc/letsencrypt/csr/0040_csr-letsencrypt.pem’, data=‘0\x82\x02\x940\x82\x01|\x02\x01\x020\x1e1\x1c0\x1a\x06\x03U\x04\x03\x0c\x13home.parabiosis.net0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xcf\xc2\xce\xe1\x98\x8b\xc3\xe8\xfd\x17\x99\xd4\xfc\x90:\xdb\xd45H\xb8\xba|+J\x81\xcd\x198RZ\x80G\x86\x8d\x98\x90\xf9\x93\xa9Z\xa8a\xc5\xc2\x06\x8a\xff\x1eR\x04\xa1\x16\xd2/\x9a>Tf]\x17\x08Bdc\x1d\x9cT%\xaba8\xa0 L\xa9Yz)w\xee\x05Nd\x1f\x12B\xb2o\xcc\x8a\xeb\xfdYJY{5\x87\xc8E\x8a\xb7Z\xfd\xd3\xdf\xde\xbfes\xc6\xf3>\xc3\xc4_\xf5\xe1\xe6\x86:\xfbZ\xa8\x9bzT\xffJ\x0f\xce\x83\xef\x10\xc0(\xd1\x7f\xe0c\xa0@\xe1\x0cp\x04\xb6\x8be\xea\xfc\xd1\xf1\x92T\x1c\xff\x02n>|\x02\xce,\xacS\x07\xaa\x87\xb4\x1e\x10\xf4\xc7\x8a\x8f\xa5\xc0\x06\xf3\x15\xeb\x91y\xf8fS5\xcb6\xf5’\x0b}q\xdd\xbff+\x97LM\x98i%\xebcH\xf3y>\x9d7\xe6@jO\xd3b\xbd\xedg’s\xb9O\xf3\x1d#{\x1f\x08a@v\xe8\xfc\xca}\x8fu\xbaqY\xe0\xf6:\x8c8\x13\xc0C\xbb\xeb7\x02\x03\x01\x00\x01\xa010/\x06\t\x86H\x86\xf7\r\x01\t\x0e1"0 0\x1e\x06\x03U\x1d\x11\x04\x170\x15\x82\x13home.parabiosis.net0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x8a\xedZD\xe4(\xbc!%\xc1Y^2\xdc\xe8\xd7\x0e\x98\xd4!$\xd0\xb6\xeaW(\xf0\xd5\x11\xfe\x96\xaf\xd8SH~(\xc5s\x89B\xd7\x87t\xb0m\xc1\x08\xff*\xbd\xbe\x7fcA\xb5\xc5\x99\x83\xae-\x95:\xcd\xd5\xacT\xc5w\xc4\x04\n\xa5\xa6\x1a\x03\xc1\x06\x19f\x87\x99\xb1F\x87r\xa9d\xcc\xc5\xe3F\xc6\xd1\xe1\x0e\x9d\xdd\xf3\xf4w\xedK\x1f\x9d\x81N\xab\xd3\xabGx\x89\xcf\xf9B\x90\x19[\x85ufn\x03\x8eY\x12\xc0&\xa2\x99\xef\x18\xb5\x13J\xe2J%4\x86\xe1\xe4\x14q\xfd\xc1\n\x12n\xf4\x8b\x124\xc4\xa2\x00{\x1f\xf6\\xed\xdc\x92\xf4\xcd\xb9\x0c\xc2\xf2n\x9dbz\xae\xe2\xa4r\xa6\xaf\x80\x19\x90\xda\xdbE@\xe1U3\x08\xc2\xa3\j^\xc3y\xdc\xd9y%\nK\xc7a\x0e\xac0\xfcey5)\xe7\t@4\x16\xdb\x8f\xc0\xb7f\xb4\x94\xab$j\xfe6\x17>\xe9w\xaepF\x9f~\xc6\x1c6\xa2v\x94,\xd2\xac7\xf8\x07\x82P\xa8\xc0’, form=‘der’), domains: [‘home.parabiosis.net’]
2016-12-25 02:10:59,405:DEBUG:root:Requesting fresh nonce
2016-12-25 02:10:59,405:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2016-12-25 02:10:59,406:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-12-25 02:11:02,887:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-authz HTTP/1.1” 405 0
2016-12-25 02:11:02,889:DEBUG:root:Received <Response [405]>. Headers: {‘Content-Length’: ‘91’, ‘Pragma’: ‘no-cache’, ‘Boulder-Request-Id’: ‘pPYzMf98Lmu4vPg7Vs6T1IXPUkvS-tXTgAZGgPN5C8M’, ‘Expires’: ‘Sun, 25 Dec 2016 02:11:02 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Allow’: ‘POST’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sun, 25 Dec 2016 02:11:02 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘Z6CwHd0k_TVKXvxpRR42_8MAhT3uwcq5cZ5lMHAkeaY’}. Content: ‘‘
2016-12-25 02:11:02,890:DEBUG:acme.client:Storing nonce: ‘g\xa0\xb0\x1d\xdd$\xfd5J^\xfciE\x1e6\xff\xc3\x00\x85=\xee\xc1\xca\xb9q\x9ee0p$y\xa6’
2016-12-25 02:11:02,890:DEBUG:acme.jose.json_util:Omitted empty fields: challenges=None, combinations=None, status=None, expires=None
2016-12-25 02:11:02,891:DEBUG:acme.client:Serialized JSON: {“identifier”: {“type”: “dns”, “value”: “home.parabiosis.net”}, “resource”: “new-authz”}
2016-12-25 02:11:02,892:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), x5tS256=None, cty=None, jku=None, x5u=None, x5t=None, crit=(), kid=None, alg=None, jwk=None, typ=None
2016-12-25 02:11:02,895:DEBUG:acme.jose.json_util:Omitted empty fields: jku=None, x5tS256=None, cty=None, x5c=(), x5u=None, x5t=None, crit=(), nonce=None, kid=None, typ=None
2016-12-25 02:11:02,896:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {‘data’: ‘{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “x0HgnUwDavTSOrUB5gNEf6Xm_E0dSuwCpRnMoGeI_qJCflcVXLUSYcG2WdLTmaXlaotOCzVUJDNwT3hMh6nWA-1Z-nizAbJv-wboZSSsdKi7XKJQhZNQ7NqRiGy4tHs8KUE2x1WGfnkxvqILb-t27GBssX9OtUv1LW2G09-Aphs2KB6tSElU2yrT0bzHajRoRqkGjys0R3C9U1dQQ0-UZKwNk9rHj6Fwx5iCSoCuC5d3Q3Lql8DblhUfn1NJ3iTscquazQyuiBFVOIaJYMHOJUbZ4qohtyYL_TuyD76i9peqTGDa4FNQ0jUY3Z0luV8oDkvs8KQP-LvB84QxcknmLw”}}, “protected”: “eyJub25jZSI6ICJaNkN3SGQwa19UVktYdnhwUlI0Ml84TUFoVDN1d2NxNWNaNWxNSEFrZWFZIn0”, “payload”: “eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJob21lLnBhcmFiaW9zaXMubmV0In0sICJyZXNvdXJjZSI6ICJuZXctYXV0aHoifQ”, “signature”: “svmtn3FVvH5EX3tbSCj8M_WkXw7tXtc8KE2Mb1PqqBYX0lL2YFq_-HMlUvHBnhdVYsJ4v1AAmfe1u7sgqp5NheYUTFrl0puhD5xA5vXC1Q8s6Q2GVtflmDQX98JgdUdzSGhBtDgaMeXLfoxT9fGure67uR3ucE-qLeDlZmDMDfF96lzSRUayzIA_8IqAP3ujFlZ3GeDmZrNrAwxEibbuZgczhMXMlUw8F4MsxoHef2pBcD-aJOEU9GKgbxkEpq1deZBSFbTs06cG4sqnKBJcK5_uU78pOPjj6mIYsVOTtSiW1DLyJYUNWS3t1KuUqNwiR2g2SBc5d-ELGscC9FnoBA”}’}
2016-12-25 02:11:02,897:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-12-25 02:11:06,426:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-authz HTTP/1.1” 201 1004
2016-12-25 02:11:06,429:DEBUG:root:Received <Response [201]>. Headers: {‘Content-Length’: ‘1004’, ‘Expires’: ‘Sun, 25 Dec 2016 02:11:06 GMT’, ‘Boulder-Request-Id’: ‘mo2JlLtGiiPFCAbxVLOFqR_ThvxAWhAUhkXIlvyKHk0’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Location’: ‘https://acme-v01.api.letsencrypt.org/acme/authz/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘7415042’, ‘Date’: ‘Sun, 25 Dec 2016 02:11:06 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘gN-35MCpyG1i1Fe6BAjhU_4S_yoBGML8Plu_91s3DtI’}. Content: ‘{\n “identifier”: {\n “type”: “dns”,\n “value”: “home.parabiosis.net”\n },\n “status”: “pending”,\n “expires”: “2017-01-01T02:11:06.258900369Z”,\n “challenges”: [\n {\n “type”: “tls-sni-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668588”,\n “token”: “cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM”\n },\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668589”,\n “token”: “lCW4pf6AKiIW0nyEaQKwraEX86BjN5yNAXzPRvwQdas”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668590”,\n “token”: “baOxsh4Eabs3xOqsNeTAOIX67iy1-Ji06eYwHBve_7o”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 1\n ],\n [\n 0\n ]\n ]\n}‘
2016-12-25 02:11:06,429:DEBUG:acme.client:Storing nonce: ‘\x80\xdf\xb7\xe4\xc0\xa9\xc8mb\xd4W\xba\x04\x08\xe1S\xfe\x12\xff*\x01\x18\xc2\xfc>[\xbf\xf7[7\x0e\xd2’
2016-12-25 02:11:06,429:DEBUG:acme.client:Received response <Response [201]> (headers: {‘Content-Length’: ‘1004’, ‘Expires’: ‘Sun, 25 Dec 2016 02:11:06 GMT’, ‘Boulder-Request-Id’: ‘mo2JlLtGiiPFCAbxVLOFqR_ThvxAWhAUhkXIlvyKHk0’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Location’: ‘https://acme-v01.api.letsencrypt.org/acme/authz/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘7415042’, ‘Date’: ‘Sun, 25 Dec 2016 02:11:06 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘gN-35MCpyG1i1Fe6BAjhU_4S_yoBGML8Plu_91s3DtI’}): ‘{\n “identifier”: {\n “type”: “dns”,\n “value”: “home.parabiosis.net”\n },\n “status”: “pending”,\n “expires”: “2017-01-01T02:11:06.258900369Z”,\n “challenges”: [\n {\n “type”: “tls-sni-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668588”,\n “token”: “cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM”\n },\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668589”,\n “token”: “lCW4pf6AKiIW0nyEaQKwraEX86BjN5yNAXzPRvwQdas”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668590”,\n “token”: “baOxsh4Eabs3xOqsNeTAOIX67iy1-Ji06eYwHBve_7o”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 1\n ],\n [\n 0\n ]\n ]\n}‘
2016-12-25 02:11:06,430:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u’status’: u’pending’, u’token’: u’baOxsh4Eabs3xOqsNeTAOIX67iy1-Ji06eYwHBve_7o’, u’type’: u’dns-01’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668590’}
2016-12-25 02:11:06,431:INFO:letsencrypt.auth_handler:Performing the following challenges:
2016-12-25 02:11:06,431:INFO:letsencrypt.auth_handler:tls-sni-01 challenge for home.parabiosis.net
2016-12-25 02:11:06,482:INFO:letsencrypt_apache.configurator:Enabled Apache socache_shmcb module
2016-12-25 02:11:06,558:INFO:letsencrypt_apache.configurator:Enabled Apache ssl module
2016-12-25 02:11:06,873:DEBUG:letsencrypt_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2016-12-25 02:11:06,874:DEBUG:letsencrypt_apache.tls_sni_01:writing a config file with text:

<VirtualHost *:443>
ServerName 563636fc59e5c35c3365dba769fb4e70.340c58664d081df80df55931590815f0.acme.invalid
UseCanonicalName on
SSLStrictSNIVHostCheck on

LimitRequestBody 1048576
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /var/lib/letsencrypt/cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM.crt
SSLCertificateKeyFile /var/lib/letsencrypt/cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM.pem
DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/

2016-12-25 02:11:06,926:DEBUG:letsencrypt.reverter:Creating backup of /etc/apache2/apache2.conf
2016-12-25 02:11:10,067:INFO:letsencrypt.auth_handler:Waiting for verification…
2016-12-25 02:11:10,067:DEBUG:acme.client:Serialized JSON: {“keyAuthorization”: “cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM.SueEGmSkK0sfm5n8j5nVS0jxyxRUzYgt0A7au74nqvE”, “type”: “tls-sni-01”, “resource”: “challenge”}
2016-12-25 02:11:10,068:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), x5tS256=None, cty=None, jku=None, x5u=None, x5t=None, crit=(), kid=None, alg=None, jwk=None, typ=None
2016-12-25 02:11:10,072:DEBUG:acme.jose.json_util:Omitted empty fields: jku=None, x5tS256=None, cty=None, x5c=(), x5u=None, x5t=None, crit=(), nonce=None, kid=None, typ=None
2016-12-25 02:11:10,072:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668588. args: (), kwargs: {‘data’: ‘{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “x0HgnUwDavTSOrUB5gNEf6Xm_E0dSuwCpRnMoGeI_qJCflcVXLUSYcG2WdLTmaXlaotOCzVUJDNwT3hMh6nWA-1Z-nizAbJv-wboZSSsdKi7XKJQhZNQ7NqRiGy4tHs8KUE2x1WGfnkxvqILb-t27GBssX9OtUv1LW2G09-Aphs2KB6tSElU2yrT0bzHajRoRqkGjys0R3C9U1dQQ0-UZKwNk9rHj6Fwx5iCSoCuC5d3Q3Lql8DblhUfn1NJ3iTscquazQyuiBFVOIaJYMHOJUbZ4qohtyYL_TuyD76i9peqTGDa4FNQ0jUY3Z0luV8oDkvs8KQP-LvB84QxcknmLw”}}, “protected”: “eyJub25jZSI6ICJnTi0zNU1DcHlHMWkxRmU2QkFqaFVfNFNfeW9CR01MOFBsdV85MXMzRHRJIn0”, “payload”: “eyJrZXlBdXRob3JpemF0aW9uIjogImNNc2RTR1J2T09JVlRtdmN6aldHZkZ1MjdIUExlcGdwX21kTVZQZUNlZk0uU3VlRUdtU2tLMHNmbTVuOGo1blZTMGp4eXhSVXpZZ3QwQTdhdTc0bnF2RSIsICJ0eXBlIjogInRscy1zbmktMDEiLCAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIn0”, “signature”: “fEpkZ4wRe62QtPytt7ky5kfpNzxOiJiM4x6Aj1XBNSDwv6Uo8CiAs4kTEdXhMYVFOIv7xVvyn2rFjnI5Hh7juqJLSvmQEc5mgvlHI3Imcb7F84z5UoyIyZKsxprCloDpu-Zh3xs9i-7eFcI4D92sfisYulrS9JSFZ5qia1Kd9Dh1ehSis9_qXLjPl5g3jVew9toRZyW-gEfRlrQA01dLgF4exNFofQzMtPx3UKevt6KWeZYd1_v0hxfg5jaqfBdH8XnumM5zwb5hQBwNaKEWFYMXauvyFtFatzHLtC6tpAdXWgYb24h-PGTsaHwDca3qPp2loMGSqULWzeU2KeFuVg”}’}
2016-12-25 02:11:10,073:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-12-25 02:11:13,697:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668588 HTTP/1.1” 202 338
2016-12-25 02:11:13,700:DEBUG:root:Received <Response [202]>. Headers: {‘Content-Length’: ‘338’, ‘Boulder-Request-Id’: ‘IWmr2189lqoymJcP8SMvOw-2JQPFq__C15Ndm5hmwOE’, ‘Expires’: ‘Sun, 25 Dec 2016 02:11:13 GMT’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/authz/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34;rel=“up”’, ‘Location’: ‘https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668588’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘7415042’, ‘Date’: ‘Sun, 25 Dec 2016 02:11:13 GMT’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘4Y6v54wZ-VP4ISow46ke13apR4poBhhaEcsR77lDKN0’}. Content: '{\n “type”: “tls-sni-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668588”,\n “token”: “cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM”,\n “keyAuthorization”: “cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM.SueEGmSkK0sfm5n8j5nVS0jxyxRUzYgt0A7au74nqvE”\n}‘
2016-12-25 02:11:13,700:DEBUG:acme.client:Storing nonce: ‘\xe1\x8e\xaf\xe7\x8c\x19\xf9S\xf8!*0\xe3\xa9\x1e\xd7v\xa9G\x8ah\x06\x18Z\x11\xcb\x11\xef\xb9C(\xdd’
2016-12-25 02:11:13,701:DEBUG:acme.client:Received response <Response [202]> (headers: {‘Content-Length’: ‘338’, ‘Boulder-Request-Id’: ‘IWmr2189lqoymJcP8SMvOw-2JQPFq__C15Ndm5hmwOE’, ‘Expires’: ‘Sun, 25 Dec 2016 02:11:13 GMT’, ‘Server’: ‘nginx’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/authz/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34;rel=“up”’, ‘Location’: ‘https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668588’, ‘Pragma’: ‘no-cache’, ‘Boulder-Requester’: ‘7415042’, ‘Date’: ‘Sun, 25 Dec 2016 02:11:13 GMT’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘4Y6v54wZ-VP4ISow46ke13apR4poBhhaEcsR77lDKN0’}): ‘{\n “type”: “tls-sni-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668588”,\n “token”: “cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM”,\n “keyAuthorization”: “cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM.SueEGmSkK0sfm5n8j5nVS0jxyxRUzYgt0A7au74nqvE”\n}‘
2016-12-25 02:11:16,704:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34. args: (), kwargs: {}
2016-12-25 02:11:16,706:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-12-25 02:11:20,177:DEBUG:requests.packages.urllib3.connectionpool:“GET /acme/authz/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34 HTTP/1.1” 200 1528
2016-12-25 02:11:20,180:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘1528’, ‘Expires’: ‘Sun, 25 Dec 2016 02:11:20 GMT’, ‘Boulder-Request-Id’: ‘4rPZkOqYbp-op5ZhABw4v3iyrbIehDTFNfbbqLzzyjo’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sun, 25 Dec 2016 02:11:20 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘_PW7Z7OGzs4oE6prDRfpLa-oXHuxOoyYZvbK7YrAeds’}. Content: ‘{\n “identifier”: {\n “type”: “dns”,\n “value”: “home.parabiosis.net”\n },\n “status”: “invalid”,\n “expires”: “2017-01-01T02:11:06Z”,\n “challenges”: [\n {\n “type”: “tls-sni-01”,\n “status”: “invalid”,\n “error”: {\n “type”: “urn:acme:error:connection”,\n “detail”: “Failed to connect to 210.84.63.43:443 for TLS-SNI-01 challenge”,\n “status”: 400\n },\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668588”,\n “token”: “cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM”,\n “keyAuthorization”: “cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM.SueEGmSkK0sfm5n8j5nVS0jxyxRUzYgt0A7au74nqvE”,\n “validationRecord”: [\n {\n “hostname”: “home.parabiosis.net”,\n “port”: “443”,\n “addressesResolved”: [\n “210.84.63.43”\n ],\n “addressUsed”: “210.84.63.43”\n }\n ]\n },\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668589”,\n “token”: “lCW4pf6AKiIW0nyEaQKwraEX86BjN5yNAXzPRvwQdas”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668590”,\n “token”: “baOxsh4Eabs3xOqsNeTAOIX67iy1-Ji06eYwHBve_7o”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 1\n ],\n [\n 0\n ]\n ]\n}‘
2016-12-25 02:11:20,181:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘1528’, ‘Expires’: ‘Sun, 25 Dec 2016 02:11:20 GMT’, ‘Boulder-Request-Id’: ‘4rPZkOqYbp-op5ZhABw4v3iyrbIehDTFNfbbqLzzyjo’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Link’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert;rel=“next”’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sun, 25 Dec 2016 02:11:20 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘_PW7Z7OGzs4oE6prDRfpLa-oXHuxOoyYZvbK7YrAeds’}): ‘{\n “identifier”: {\n “type”: “dns”,\n “value”: “home.parabiosis.net”\n },\n “status”: “invalid”,\n “expires”: “2017-01-01T02:11:06Z”,\n “challenges”: [\n {\n “type”: “tls-sni-01”,\n “status”: “invalid”,\n “error”: {\n “type”: “urn:acme:error:connection”,\n “detail”: “Failed to connect to 210.84.63.43:443 for TLS-SNI-01 challenge”,\n “status”: 400\n },\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668588”,\n “token”: “cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM”,\n “keyAuthorization”: “cMsdSGRvOOIVTmvczjWGfFu27HPLepgp_mdMVPeCefM.SueEGmSkK0sfm5n8j5nVS0jxyxRUzYgt0A7au74nqvE”,\n “validationRecord”: [\n {\n “hostname”: “home.parabiosis.net”,\n “port”: “443”,\n “addressesResolved”: [\n “210.84.63.43”\n ],\n “addressUsed”: “210.84.63.43”\n }\n ]\n },\n {\n “type”: “http-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668589”,\n “token”: “lCW4pf6AKiIW0nyEaQKwraEX86BjN5yNAXzPRvwQdas”\n },\n {\n “type”: “dns-01”,\n “status”: “pending”,\n “uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668590”,\n “token”: “baOxsh4Eabs3xOqsNeTAOIX67iy1-Ji06eYwHBve_7o”\n }\n ],\n “combinations”: [\n [\n 2\n ],\n [\n 1\n ],\n [\n 0\n ]\n ]\n}‘
2016-12-25 02:11:20,181:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u’status’: u’pending’, u’token’: u’baOxsh4Eabs3xOqsNeTAOIX67iy1-Ji06eYwHBve_7o’, u’type’: u’dns-01’, u’uri’: u’https://acme-v01.api.letsencrypt.org/acme/challenge/gF3ULsQs6FQBtma8qXeSGlm8mF7V9fQmOCjjcC5Jz34/444668590’}
2016-12-25 02:11:20,182:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:

Domain: home.parabiosis.net
Type: connection
Detail: Failed to connect to 210.84.63.43:443 for TLS-SNI-01 challenge

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2016-12-25 02:11:20,182:INFO:letsencrypt.auth_handler:Cleaning up challenges
2016-12-25 02:11:20,423:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1986, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 662, in run
lineage, action = _auth_from_domains(le_client, config, domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 474, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 269, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 252, in obtain_certificate
return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 225, in obtain_certificate_from_csr
authzr = self.auth_handler.get_authorizations(domains)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 84, in get_authorizations
self._respond(cont_resp, dv_resp, best_effort)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 142, in _respond
self._poll_challenges(chall_update, best_effort)
File “/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py”, line 204, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. home.parabiosis.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 210.84.63.43:443 for TLS-SNI-01 challenge

Same errors with either CertBot or letsencrypt.
I’m close to giving up and tryint the Lego client instead, but that adds a (small) cost, as the Route 53 workaround it offers isn’t free.

Any advice would be highly appreciated. Thanks!


#2

I think there is a clue here.

port 443 should be listening / using https not http.

You could shut down apache temporarily, and use the standalone mode, or you could correct your apache config so that it isn’t listening with http on port 443.


#3

Bingo, that was it. I missed that due to my insistence to run tests with telnet on port 443, rather than curl.

Turns out, https was broken because I forgot to ‘a2enmod ssl’.

Bangs her head against the desk. Works like a charm now.

Thanks!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.