Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01 challenge


#1

Hi,

not able to to set up a ssl certificate for…

Domain: www.hotellistat.de

Command: certbot --apache -d www.hotellistat.de

Output: Failed authorization procedure. www.hotellistat.de (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.hotellistat.de
    Type: connection
    Detail: Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Operating System: Debian 8

Web Server: Apache 2.4

hosting-provider: hetzner.de (dedicated server)

I already checked ports.conf and virtual hosts-setup also looks good.

curl -I http://www.hotellistat.de:443

returns:

HTTP/1.1 200 OK
Date: Mon, 21 Nov 2016 07:09:47 GMT
Server: Apache/2.4.10 (Debian)
Set-Cookie: PHPSESSID=5s2b3mp2m58tec90jdedbfddo1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8

i don’t know whats going wrong, any help would be appreciated,

Tobey


Trouble setting up Apache2 with CertBot
#2

I think that’s a big clue - you are providing http on port 443 not https

If your server is responding on port 443 it needs to be https. The easiest may be to add a self signed cert to your configuration as an interim measure - so that https works, then you can pass the challenges and obtain a cert.


#3

Well, i do not understand exactly why it is necessary to install a self-signed certificate in advance… there is nothing stated in the docs about it. I have a clean apache running with standard config, never added/changed sth for ssl/https before, so why should i differ from standard installation?!

The curl request was only one example i read in some similar posts. My server is running on 80…

the only thing concerning 443 i can find are the following lines inside ports.conf

<IfModule ssl_module>
	Listen 443
</IfModule>

<IfModule mod_gnutls.c>
	Listen 443
</IfModule>

When i add a second VirtualHost Config for 443 additional to port 80, then certification attempt exits with “We are unable to find a vhost with a ServerName or Address of www.hotellistat.de” and i am asked to choose from some other conf-files, but the desired .conf is not there. As for this, i assumed, i do not have to change sth in my virtual hosts config.


#4

Do you have a control panel ? or are you just adding / editing the virtual hosts config by hand ?


#5

By hand… i just used the default one, copied it for hotellistat webroot, added the params and enabled it.
It looks like:

<VirtualHost 144.76.17.99:80>
	ServerName hotellistat.de
	ServerAlias www.hotellistat.de
	DocumentRoot /var/www/hotellistat.de/html

	<Directory /var/www/hotellistat.de/html>
		Options -Indexes +FollowSymLinks +MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>

	SetEnv APPLICATION_ENV production

	ErrorLog ${APACHE_LOG_DIR}/hotellistat.de-error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/hotellistat.de-access.log combined
</VirtualHost>

#6

by hand is fine :slight_smile:

You can either turn off the port 443 for now ( comment out the lines )

or you can generate and add an ssl cert. I’d probably start with the first.

Once you have obtained the cert then use
https://mozilla.github.io/server-side-tls/ssl-config-generator/
for setting a reasonable config for your https.


#7

I commented out the lines in ports.conf and restarted apache.

The file looks now like:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 144.76.17.99:80

#<IfModule ssl_module>
#	Listen 443
#</IfModule>

#<IfModule mod_gnutls.c>
#	Listen 443
#</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

The error is still remaining.

Are there some sorts of commands which i can check?


#8

Can you run

certbot --apache -d www.hotellistat.de -vvv

which should provide a verbose log, it’s probably easiest to upload that to pastebin.com if the log doesn’t itself provide the answer


#9

Hi Andy,

i tried to understand the output with no success.
I uploaded it at: http://pastebin.com/Lfi8cap4


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.