Failed to connect to x.x.x.x:443 for TLS-SNI-01 not able to setup certificate


#1

I was using apache and AMI ec2 server(
Amazon Linux AMI release 2016.03).

For this i have installed sucessfully certificate for my x.x.x.x.com and x.x.x.x.io .
But am not able to install the subdomains like developer.xxxx.com and business.xxxx.com etc.So for that I have removed the certificate and again i tried to install i got below error.

I completely don’t know what can i do
Please help me to short out this

Also I have checked firewall configuration this port has opened in server also i have been opened by iptables also.

The port has been listening.

netstat -tupln | grep httpd

tcp 0 0 :::80 :::* LISTEN 15555/httpd
tcp 0 0 :::443 :::* LISTEN 15555/httpd

It says dns record not pointing the DNS A record it has been configured.
Failed authorization procedure. www.x.x.x.x.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge, www.x.x.x.x.io (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge, business.x.x.x.x.io (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge, x.x.x.x.io (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge, x.x.x.x.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.x.x.x.x.com
    Type: connection
    Detail: Failed to connect to x.x.x.x:443 for TLS-SNI-01
    challenge

    Domain: www.x.x.x.x.io
    Type: connection
    Detail: Failed to connect to x.x.x.x:443 for TLS-SNI-01
    challenge

    Domain: business.x.x.x.x.io
    Type: connection
    Detail: Failed to connect to x.x.x.x:443 for TLS-SNI-01
    challenge

    Domain: x.x.x.x.io
    Type: connection
    Detail: Failed to connect to x.x.x.x:443 for TLS-SNI-01
    challenge

    Domain: x.x.x.x.com
    Type: connection
    Detail: Failed to connect to x.x.x.x:443 for TLS-SNI-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.x.x.x.x


It say: Congratulation after use letsencrypt to register ssl, but I still cannot use https
#2

Having redacted all the domain names. IP address - it makes it difficult to testthings and give you a specific answer.

I’m assuming you are using certbot - what command are you running ?


#3

Hi thanks for quick response
The domain name is www.xxxxx.com and www.xxxxxx.io

I have used only script of letencrypt_auto and certbot_auto.


#4

Thanks for the domains - that helps - what was the specific command you were running ?


#5

Also, noticing the number of certificates you have been obtaining yesterday / today - for testing you would be better using the staging server, as you are very likely to hit the rate limits


#6

I have been Ran command is /path/ letencrypt- auto --debug ,
after enter this command it’s listing the domain names whatever I configured in Apache then selected with required domains.finally I got that error


#7

Please hide the domain for public view


#8

It looks as if you currently have a configuration error in your apache - on port 443 you are providing http not https - hence the error.

You should check the apache error logs, or apachectl -t to test the config

I haven’t placed the domain in public view - please note though that all certificates issues are listed publicly, so that is available anyway. You can edit your post above if you like (although that will make it harder for others to test / help )


#9

Ok but certbot automatically configured right for ssl part in HTTPS ,anyway I will check HTTPS conf in Apache also then let you know


#10

Hi
I have checked apache syntax is ok there is no syntax error.

[root@ip-172-31-19-172 conf]# apachectl -t
Syntax OK

And the error log got at the time trying to https

[Fri Nov 25 04:05:35 2016] [error] [client 106.216.132.35] Invalid method in request \x16\x03\x01
[Fri Nov 25 04:05:35 2016] [error] [client 106.216.132.35] Invalid method in request \x16\x03\x01


#11

This would not be a syntax error that can be caught with apachectl -t. Your configuration files are telling apache to serve HTTP on port 443 (the port reserved for HTTPS). Could you share those?


#12

You mean the httpd is listening or not 443
The apache has listening the port both of us.

[root@ip-172-31-19-172 ~]# netstat -tupln | grep httpd
tcp 0 0 :::80 :::* LISTEN 15555/httpd
tcp 0 0 :::443 :::* LISTEN 15555/httpd

[root@ip-172-31-19-172 conf]# grep -r 443 httpd.conf
Listen 443
NameVirtualHost *:443


#13

It’s listening just fine on both ports, but it’s serving HTTP on 443, not HTTPS. 80 and 443 are serving the same protocol.

I can’t really speculate on the reasons without seeing the apache config.


#14

I will shrare my httpd.conf file also virtual host file ,
But my question is the cerbot is automatically configure when i execute the script right ?


#15

That would be the idea, yes, but if your apache configuration was set to serve HTTP on port 443 prior to you using certbot, it would have a hard time fixing that or even getting a certificate. It’s not really capable of automatically fixing any configuration issues in addition to configuring HTTPS.


#16

let me know What are the configuration files want to check you ?


#17

I would need to see anything mentioning port 443 in your config directory, i.e. any file you get with grep -r 443 /etc/httpd.

Tip: You can wrap your configuration files between three backticks to preserve the format, i.e. like this:
```
configuration here
```


#18

[root@ip-172-31-19-172 conf.d]# grep -r 443 /etc/httpd
/etc/httpd/conf/httpd.conf:Listen 443
/etc/httpd/conf/httpd.conf:NameVirtualHost *:443
/etc/httpd/conf.d/developer.ssl.conf:<VirtualHost *:443>
/etc/httpd/conf.d/www-bezirk-com-le-ssl.conf:<VirtualHost *:443>

)?


#19

I’m having a difficult time reading that without any tags and such. Can you wrap it between three backticks (```)?


#20

I will give link for conf files please wait