Failed to connect to 1.2.3.4:443 for TLS-SNI-01

Help
1

The apache server proc is dying each time. See the apache log snippet further below.

I’ve tried a few variations including ‘–standalone-supported-challenges http-01’ but ultimately I won’t get anywhere if the apache proc isn’t running. What could be killing it?

certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/f.ff.me.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for f.ff.me
Waiting for verification...
Cleaning up challenges
Error while running apachectl graceful.

Job for httpd.service invalid.

Attempting to renew cert from /etc/letsencrypt/renewal/f.ff.me.conf produced an unexpected error: Error while running apachectl graceful.

Job for httpd.service invalid.
. Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/f.ff.me/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: f.ff.me
   Type:   connection
   Detail: Failed to connect to 1.2.3.4:443 for TLS-SNI-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

====

[Fri Jan 20 20:10:50.932434 2017] [mpm_prefork:notice] [pid 14096] AH00171: Graceful restart requested, doing restart
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
AH00112: Warning: DocumentRoot [/var/lib/letsencrypt/tls_sni_01_page/] does not exist
[Fri Jan 20 20:11:00.986644 2017] [auth_digest:notice] [pid 14096] AH01757: generating secret for digest authentication ...
[Fri Jan 20 20:11:00.988249 2017] [ssl:emerg] [pid 14096] (2)No such file or directory: AH02201: Init: Can't open server certificate file /var/lib/letsencrypt/3Nun84ung5Kjx9HzIfVhTlLldqEc5lhv_3OmegY6lHA.crt
[Fri Jan 20 20:11:00.988278 2017] [ssl:emerg] [pid 14096] AH02312: Fatal error initialising mod_ssl, exiting.
2

Hi @ezekieldas,

Did you redact your IP address and replace it with 1.2.3.4 for this post, or is that actually the IP address that the CA is attempting to validate to?

3

Hi @schoen. Yes the ipaddr is masked with 1.2.3.4.

I was able to find a semi-acceptable solution to the issue with using the manual ‘webroot’ approach. However this is short term and I expect to encounter trouble again on next renewal.

I believe this has something to do with how the system is hardened. Possibly an selinux issue. I can try to reproduce this coming week. Still looking for ideas regarding why http proc is crashing at the temporary DocumentRoot.

4

The DocumentRoot warning is expected; that’s probably not what’s causing the problem.

I’d guess it’s this one:

[Fri Jan 20 20:11:00.988249 2017] [ssl:emerg] [pid 14096] (2)No such file or directory: AH02201: Init: Can't open server certificate file /var/lib/letsencrypt/3Nun84ung5Kjx9HzIfVhTlLldqEc5lhv_3OmegY6lHA.crt

Not sure what would cause that, although with selinux you never know.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.