Failed to connect to :443 for TLS-SNI-01 challenge


#1

Hi, I saw lots of people with this error but I don’t know how to solve it. I have an apache server with several Host. I want to create a LE certificate on one of them.
I ran this command: certbot --apache -d domain.com -d www.domain.com
It produced this output:
’’'
Failed authorization procedure. www.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to ip:443 for TLS-SNI-01 challenge, domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to ip:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.domain.com
    Type: connection
    Detail: Failed to connect to ip:443 for TLS-SNI-01
    challenge

    Domain: domain.com
    Type: connection
    Detail: Failed to connect to ip:443 for TLS-SNI-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    ’’’

This is my conf file:
’’’
<VirtualHost *:80_CLOSE TAG_
ServerName domain.com
ServerAlias www.domain.com

    DocumentRoot /var/www/html/test/www/
    ErrorLog /var/log/httpd/test/error.log
    CustomLog /var/log/httpd/test/access.log combined

<VirtualHost_CLOSE TAG_
’’’

Ports 80 and 443 are OPEN and LISTEN. So I don’t understand where is the problem. Can you help me please ?


#2

When I had this problem I found that the server had a firewall enabled which was allowing HTTP but not HTTPS.

From my observations it appears that certbot needs to be able to connect to the web server with port 443 to validate the ownership of the domain before the ssl is all set up.

Its possible to test if you can access the web server on port 443 with wget or a browser. Use the URL http://{your-domain-name-here}:443/

If your index page is shown/downloaded then its not a connection issue.

You have to try that from a machine other than the web server itself though, as the firewall may not block the connection from the localhost, even if the ip address or domain name is used.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.