Failed to connect to 104.28.2.182:443 for tls-sni-01 by 2 of 6 domains


#1

Operating system: Debian GNU/Linux 8.7 (jessie) (3.16.0-4-amd64)

Web server: Apache/2.4.10 (Debian) (apache2handler)

Hosting provider: Hetzner, VServer

Root shell Login: Yes

Control panel: No

If i try to renew my certs i get only by anzah.cloud a error message but all domains are on the same root and all domains use cloudflare.
So i dont understand why 4 Domains run seccessfully and 2 have a problem.

# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mysql.anzah.network.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for mysql.anzah.network
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0018_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0018_csr-certbot.pem

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/anzah.cloud.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for anzah.cloud
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/anzah.cloud.conf produced an unexpected error: Failed authorization procedure. anzah.cloud (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to 104.28.2.182:443 for tls-sni-01 challenge. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/paste.anzah.network.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for paste.anzah.network
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0019_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0019_csr-certbot.pem

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/www.anzah.cloud.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.anzah.cloud
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/www.anzah.cloud.conf produced an unexpected error: Failed authorization procedure. www.anzah.cloud (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to 104.28.2.182:443 for tls-sni-01 challenge. Skipping.

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/bug.anzah.network.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for bug.anzah.network
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0020_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0020_csr-certbot.pem

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/tsw.anzah.network.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for tsw.anzah.network
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0021_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0021_csr-certbot.pem
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
  /etc/letsencrypt/live/mysql.anzah.network/fullchain.pem (success)
  /etc/letsencrypt/live/paste.anzah.network/fullchain.pem (success)
  /etc/letsencrypt/live/bug.anzah.network/fullchain.pem (success)
  /etc/letsencrypt/live/tsw.anzah.network/fullchain.pem (success)

The following certs could not be renewed:
  /etc/letsencrypt/live/anzah.cloud/fullchain.pem (failure)
  /etc/letsencrypt/live/www.anzah.cloud/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: anzah.cloud
   Type:   tls
   Detail: Failed to connect to 104.28.2.182:443 for tls-sni-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   you have an up-to-date TLS configuration that allows the server to
   communicate with the Certbot client.
 - The following errors were reported by the server:

   Domain: www.anzah.cloud
   Type:   tls
   Detail: Failed to connect to 104.28.2.182:443 for tls-sni-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   you have an up-to-date TLS configuration that allows the server to
   communicate with the Certbot client.
root@Anzah-Cloud ~ #

#2

@Tealk, TLS-SNI-01 validation never works with Cloudflare. So I think the greater mystery is why Certbot said that the other domains were successfully renewed!


#3

@cpu, can you check if the staging server really attempted to perform TLS-SNI-01 validations to CloudFlare addresses for these domains?


#4

I looked at two mysql.anzah.network and paste.anzah.network - both had existing valid authorizations that expire 30/04/17 that were validated with TLS-SNI-01 against an IP in space owned by Hetzner Online Gmbh, not Cloudflare.

I expect that the staging account in question has cached valid authorizations for some of the requested domains, from a time when the TLS-SNI-01 challenge validation was being done against the host directly without Cloudflare. The domains without cached authorizations that are behind Cloudflare are failing to solve the TLS-SNI-01 challenge as expected.


#5

@cpu, thanks for that diagnosis.

@Tealk, the TLS-SNI-01 method (used by certbot --apache and possibly also just the default certbot run if it detects Apache on your system and you agree) can’t work behind a CDN, because it relies on checking properties of the TLS session. If the TLS session is handled by a CDN, the expected properties (custom-generated certs) won’t be present.

You could try to switch to the HTTP-01 method (supported by certbot --webroot) if you have a web server listening on port 80. This does work behind a CDN.


#6

is it possible to cach it for all domains?


#7

I’m not sure I understand your question. You need to follow @schoen’s advice to get authorizations for the other domains.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.