Failed to connect with certbot --apache


#1

Hello,

During my initial server setup I configured a DNS record for the subdomain www-test for server unit testing. When I ran letsencrypt on that apache configuration everything worked smoothly. The certs were created, config updated and the system was reachable at https://www-test.

I removed that www-test config from apache, enabled the production apache configuration and restarted apache.

I archived the contents of my /etc/letsencrypt directory and then emptied that folder to ensure everything would be clean for the production configuration.

Now I am trying to create a new certificate for for my production subdomain www. The apache configuration is running and I can reach the site by name as well as by IP.

However, when I attempt to run certbot --apache it is reporting an issue.

Failed authorization procedure. www.<redacted>.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge, www.<redacted>.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.<redacted>.org
   Type:   connection
   Detail: Failed to connect to x.x.x.x:443 for TLS-SNI-01
   challenge

   Domain: www.<redacted>.net
   Type:   connection
   Detail: Failed to connect to x.x.x.x:443 for TLS-SNI-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I’ve attempted to run a curl to verify access.
x@fast:~/work$ curl -v x.x.x.x:443
* About to connect() to x.x.x.x port 443 (#0)
* Trying x.x.x.x…
* connected
* Connected to x.x.x.x (x.x.x.x) port 443 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: x.x.x.x:443
> Accept: /
>
* additional stuff not fine transfer.c:1037: 0 0
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 302 Found
< Date: Sat, 02 Jul 2016 17:15:18 GMT
< Server: Apache/2.4.10 (Debian)
< Location: http://www..net/
< Content-Length: 1
< Content-Type: text/html; charset=UTF-8
<

* Connection #0 to host x.x.x.x left intact
* Closing connection #0

I am sure I’m overlooking something obvious but if anyone could provide any clues I would be extremely grateful.

Thanks,


I have to re-raise this one - Failed to connect to xxx for TLS-SNI-01
#2

I’m still confused why it wasn’t working so if anyone has any thoughts I’d welcome them. In the meantime I went through the manual process of creating a cert and installing it.

In case anyone else has similar issues these are the steps I took so it might help you.

  1. stop apache
  2. certbot certonly --standalone --standalone-supported-challenges http-01 -d redacted.net -d redacted.org -d www.redacted.net -d www.redacted.org
  3. edit apache config files to reference the SSLCertifcateFile and SSLCertificateKeyFile
  4. add a rewrite rule to forward all non-https traffic to http
  5. restart apache

Then I went into /etc/letsencrypt/renewal and edited the conf file and set the values to the following:

authenticator = apache
installer = apache

Deleted standalone_supported_challanges

Once this was all done the website traffic was all working properfly and certbot renew --dry-run completed without error.


#3

I am not sure, but I suspect the renewal dry-run succeeded only because there was nothing (yet) to renew. So you might not be out of the woods, sorry.

The failures you had in Apache mode were for TLS-SNI valdation, and I see you succeeded (in standalone) with HTTP-01 rather than TLS-SNI. Is that because you tried TLS-SNI and it didn’t work from standalone either?

Somebody more familiar with certbot might want to chime in here, I feel like if TLS-SNI validation isn’t working for you, but HTTP-01 is, you might need to tweak your renewal config more to ensure that TLS-SNI isn’t attempted at renewal. But I might be wrong.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.