Failed to connect to ....... :443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.hendrofebrian.esy.es
    Type: connection
    Detail: Failed to connect to 31.170.166.221:443 for TLS-SNI-01
    challenge

    Domain: hendrofebrian.esy.es
    Type: connection
    Detail: Failed to connect to 31.170.166.221:443 for TLS-SNI-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Newbie here… help me pls haha

1 Like

We are getting the same issue when running a renew command on an Amazon Linux box, that has ingress at ports 22 and 80, and outbound for all ports.

Command

sudo ./certbot-auto certonly --standalone -d api.example.domain --renew-by-default --debug -t -m email@example.com --manual-public-ip-logging-ok --agree-tos

Output

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: api.example.domain
   Type:   tls
   Detail: Failed to connect to 54.230.96.73:443 for TLS-SNI-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   you have an up-to-date TLS configuration that allows the server to
   communicate with the Certbot client.

You will need to allow access on port 443 for this challenge to succeed

Do you have a firewall or anything blocking access to port 443 ? Also, what command line were you running to get the error?

We’ve allowed 443 on our Amazon Linux machine, which is running the certbot renew command, and we still cannot renew. It seems like there’s a Letsencrypt server that isn’t accepting connections?

FailedChallenges: Failed authorization procedure. api.example.domain (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to 52.85.202.55:443 for TLS-SNI-01 challenge

assuming 52.85.202.55 is the correct IP for your domain, then the error is trying to reach your domain ( or there is something else listening on that port).

If it isn't your IP, them please provide the domain name so we can check the DNS as to where it's getting the wrong IP address from.

If it is your IP, I currently get an error;

curl -I 52.85.202.55:443
HTTP/1.1 400 Bad Request
Server: CloudFront
Date: Mon, 19 Dec 2016 20:22:01 GMT
Content-Type: text/html
Content-Length: 551
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 1b48b5af8a51ddc51d69acbd441f7cde.cloudfront.net (CloudFront)
X-Amz-Cf-Id: jvE51Y-BycPMeiELuw_rK0qH_O9hl_rSVNp32SFgZLN4qgbfNyGtiQ==

Note the Server: Cloudfront, which indicates that your domain is currently fronted by Cloudflare, which will prevent you from solving a TLS-SNI-01 challenge. I would recommend trying Certbot’s “webroot” mode, which uses the HTTP-01 challenge.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.