Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01 challenge

thaze · November 21, 2016, 7:12am

Hi,

not able to to set up a ssl certificate for…

Command: certbot --apache -d www.hotellistat.de

Output: Failed authorization procedure. www.hotellistat.de (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.hotellistat.de
Type: connection
Detail: Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01
challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Operating System: Debian 8

Web Server: Apache 2.4

hosting-provider: hetzner.de (dedicated server)

I already checked ports.conf and virtual hosts-setup also looks good.

curl -I http://www.hotellistat.de:443

returns:

HTTP/1.1 200 OK
Date: Mon, 21 Nov 2016 07:09:47 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=5s2b3mp2m58tec90jdedbfddo1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8

i don’t know whats going wrong, any help would be appreciated,

Tobey

serverco · November 21, 2016, 8:22am

I think that's a big clue - you are providing http on port 443 not https

If your server is responding on port 443 it needs to be https. The easiest may be to add a self signed cert to your configuration as an interim measure - so that https works, then you can pass the challenges and obtain a cert.

thaze · November 21, 2016, 9:05am

Well, i do not understand exactly why it is necessary to install a self-signed certificate in advance… there is nothing stated in the docs about it. I have a clean apache running with standard config, never added/changed sth for ssl/https before, so why should i differ from standard installation?!

The curl request was only one example i read in some similar posts. My server is running on 80…

the only thing concerning 443 i can find are the following lines inside ports.conf

<IfModule ssl_module>
	Listen 443
</IfModule>

<IfModule mod_gnutls.c>
	Listen 443
</IfModule>

When i add a second VirtualHost Config for 443 additional to port 80, then certification attempt exits with “We are unable to find a vhost with a ServerName or Address of www.hotellistat.de” and i am asked to choose from some other conf-files, but the desired .conf is not there. As for this, i assumed, i do not have to change sth in my virtual hosts config.

serverco · November 21, 2016, 9:16am

Do you have a control panel ? or are you just adding / editing the virtual hosts config by hand ?

thaze · November 21, 2016, 9:37am

By hand… i just used the default one, copied it for hotellistat webroot, added the params and enabled it.
It looks like:

<VirtualHost 144.76.17.99:80>
	ServerName hotellistat.de
	ServerAlias www.hotellistat.de
	DocumentRoot /var/www/hotellistat.de/html

	<Directory /var/www/hotellistat.de/html>
		Options -Indexes +FollowSymLinks +MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>

	SetEnv APPLICATION_ENV production

	ErrorLog ${APACHE_LOG_DIR}/hotellistat.de-error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/hotellistat.de-access.log combined
</VirtualHost>

serverco · November 21, 2016, 9:53am

by hand is fine

You can either turn off the port 443 for now ( comment out the lines )

or you can generate and add an ssl cert. I'd probably start with the first.

Once you have obtained the cert then use
https://mozilla.github.io/server-side-tls/ssl-config-generator/
for setting a reasonable config for your https.

thaze · November 21, 2016, 11:17am

I commented out the lines in ports.conf and restarted apache.

The file looks now like:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 144.76.17.99:80

#<IfModule ssl_module>
#	Listen 443
#</IfModule>

#<IfModule mod_gnutls.c>
#	Listen 443
#</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

The error is still remaining.

Are there some sorts of commands which i can check?

serverco · November 21, 2016, 11:36am

Can you run

certbot --apache -d www.hotellistat.de -vvv

which should provide a verbose log, it's probably easiest to upload that to pastebin.com if the log doesn't itself provide the answer

thaze · November 21, 2016, 1:03pm

Hi Andy,

i tried to understand the output with no success.
I uploaded it at: http://pastebin.com/Lfi8cap4

system · December 21, 2016, 1:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.