Failed to connect to *:443 for TLS-SNI-01 challenge


#1

Please fill out the fields below so we can help you better.

My domain is: alpha.nerdism.net

I ran this command: letsencrypt certonly -d alpha.nerdism.net

It produced this output:
Domain: alpha.nerdism.net
Type: connection
Detail: Failed to connect to 144.217.10.160:443 for TLS-SNI-01 challenge

My operating system is (include version): Ubuntu 16.04

My web server is (include version): n/a ( node server )

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


Running a rest api via node, want it to have ssl, does letsencrypt require Nginx/Apache to work? Not sure how letsencrypt works with verification. firewall is not active the port should be accessible.


#2

Hi @digitronics,

Do you have more output showing which authentication plugin it chose?

The most common case for Certbot users is running with an existing Nginx or Apache server, but it’s not an absolute requirement. If you don’t have Nginx or Apache, there are generally two practical options:

--standalone, if you don’t have a web server at all (runs a temporary built-in web server)

--webroot, if you do have another web server that speaks HTTP on port 80 (but it has to be capable of serving files from the filesystem, not just from a database or something)


#3

Did some more research and tried out certbot. Still getting same result.

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for alpha.nerdism.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. alpha.nerdism.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 144.217.10.160:443 for TLS-SNI-01 challenge

I’ve checked the ports they’re open. I tested the connection to acme-v01.api.letsencrypt.org and I get a ping back. So not sure what else to do.


#4

If you run

echo hello | nc -v -l 443

as root on that server and then

nc 144.217.10.160 443

somewhere else on the Internet, do you see the word hello?


#5

yes, http://i.imgur.com/EPp0F1l.png


#6

Is there any chance that the VPS and the server that you used for this test are in the same hosting facility (maybe both behind the same firewall)?


#7

Yes they are both from OVH, same data center.


#8

Would you be able to do the same test from another computer, maybe your own personal computer, just to make sure that OVH isn’t firewalling connections from the outside world?


#9

tried it from local machine, same result. I see the “hello” from 144.217.10.160


#10

I’m pretty baffled! Maybe you could post your log files from /var/log/letsencrypt?


#11

Here’s the log file https://pastebin.com/ddbj7qiu


#12

@jsha @cpu, could either of you find out more about what happened when Let’s Encrypt tried to verify this challenge? It seems to me that there should have been a valid TLS-SNI-01 challenge performed here.


#13

Looks like it was a timeout. Really no idea why that would be the case! Maybe try temporarily standing up an Nginx or other listener on port 443 so we can try reaching it from the Let’s Encrypt datacenter and see if there’s a routing issue?


#14

I have a simple node http web server running on 443 if you want to test anything.


#15

Well I started from fresh, reinstalled everything. and I seems to be working now. Mus of been something on my system messing with letsencrypt.


#16

Excellent, glad you got it working!


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.