It produced this output:
Domain: alpha.nerdism.net
Type: connection
Detail: Failed to connect to 144.217.10.160:443 for TLS-SNI-01 challenge
My operating system is (include version): Ubuntu 16.04
My web server is (include version): n/a ( node server )
My hosting provider, if applicable, is: OVH
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Running a rest api via node, want it to have ssl, does letsencrypt require Nginx/Apache to work? Not sure how letsencrypt works with verification. firewall is not active the port should be accessible.
Do you have more output showing which authentication plugin it chose?
The most common case for Certbot users is running with an existing Nginx or Apache server, but it’s not an absolute requirement. If you don’t have Nginx or Apache, there are generally two practical options:
--standalone, if you don’t have a web server at all (runs a temporary built-in web server)
--webroot, if you do have another web server that speaks HTTP on port 80 (but it has to be capable of serving files from the filesystem, not just from a database or something)
Did some more research and tried out certbot. Still getting same result.
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for alpha.nerdism.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. alpha.nerdism.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 144.217.10.160:443 for TLS-SNI-01 challenge
I’ve checked the ports they’re open. I tested the connection to acme-v01.api.letsencrypt.org and I get a ping back. So not sure what else to do.
Would you be able to do the same test from another computer, maybe your own personal computer, just to make sure that OVH isn’t firewalling connections from the outside world?
@jsha@cpu, could either of you find out more about what happened when Let’s Encrypt tried to verify this challenge? It seems to me that there should have been a valid TLS-SNI-01 challenge performed here.
Looks like it was a timeout. Really no idea why that would be the case! Maybe try temporarily standing up an Nginx or other listener on port 443 so we can try reaching it from the Let’s Encrypt datacenter and see if there’s a routing issue?