FailedChallenges: Failed authorization procedure. (tls-sni-01) Timeout


I am using Certbot-auto option to enable SSL for my sites, however getting error. Please find the below details for the same. Request you to help me on the same:
My domain is:
I ran this command: sudo ./certbot-auto --apache certonly -d -d

It produced this output:

  • The following errors were reported by the server:

    Type: connection
    Detail: Timeout

    Type: connection
    Detail: Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Server version: Apache/2.2.22 (Ubuntu)

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 12.04.5 LTS
Release: 12.04
Codename: precise

I can login to a root shell on my machine (yes or no, or I don’t know): Yes
$dig +trace @ (Giving the correct output)
Need help to resolve the issue.

A connection to port 443 shows a couple of things that may be part of the problem:

  1. SNI seems to fail, as the cert returned is the same with or without SNI.
    This may indicate that the vhost config for is not bound to port 443.
  2. [RE-EDIT] The server has no cipher preference order and allows for cipher DHE ciphers. But DHE is configured with a DH temp key of only 1024 bits; and LE may be trying to connect with a DHE cipher but is unable/unwilling to connect with such a small key.
    See: SSLLabs test results
    DHE is tricky to implement properly and there is no way to negotiate the DH temp key size.
    If ECDHE is supported, it should be preferred via:
    ProtocolsHonorOrder On

openssl s_client -connect -servername
depth=0 C = US, ST = Texas, L = Carrolton, O = Thomson Reuters (Tax and Accounting) Inc, CN =
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Texas, L = Carrolton, O = Thomson Reuters (Tax and Accounting) Inc, CN =
verify error:num=21:unable to verify the first certificate
verify return:1
Server did acknowledge servername extension.

Certificate chain
0 s:/C=US/ST=Texas/L=Carrolton/O=Thomson Reuters (Tax and Accounting) Inc/
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

Server certificate

subject=/C=US/ST=Texas/L=Carrolton/O=Thomson Reuters (Tax and Accounting) Inc/
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 1024 bits

SSL handshake has read 3817 bytes and written 389 bytes
Verification error: unable to verify the first certificate

New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384

Thanks @rg305 for your prompt response on the same. Able to resolve the problem when we open the port 443 to world. Thank you very much for help.

Did you run the same command and it worked?
I don't see anything as having changed... Port 443 still shows the wrong cert for "".

Yes, ran the same command and its provided the certs file in .pem format. Please suggest if I have to run different command, to avoid the error. Also is it possible to avoid the scanning of Apache vhost configuration, I mean to say after providing -d option still its asking for option to choose from the list.

wbcsdev-sc@or-dev-01:/etc/certbot$ sudo ./certbot-auto --apache certonly -d -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for
tls-sni-01 challenge for

We were unable to find a vhost with a ServerName or Address of
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)

1: ssl | | HTTPS | Enabled
2: ssl | | HTTPS | Enabled
3: ssl | | HTTPS | Enabled
4: virtualhosts.conf | | | Enabled
5: virtualhosts.conf | | | Enabled
6: virtualhosts.conf | | | Enabled
7: virtualhosts.conf | | | Enabled

Any option is there to avoid the same.

You might want to remove the “certonly” as that will not update the vhost config file.
But as it doesn’t yet know which vhost config file has the “” servername/alias, it may still need to learn that (at least once).

sudo ./certbot-auto certificates
see if you actually have any certificates.
If you do, then try:
sudo ./certbot-auto
(this will try to renew all known certs)

Yes it is showing the certificate as mentioned below. We would like to modify the apache configuration manually as we will not be able to restart the apache until we get the confirmation on restart. We are looking at certificate download then we modify the apache configuration manually then restart apache on confirmation. Please suggest. Please find the output of sudo ./certbot-auto certificates:

Certificate Name:
Expiry Date: 2018-01-16 16:23:05+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Expiry Date: 2018-01-16 17:28:56+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Expiry Date: 2018-01-16 16:31:08+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/

OK, so you have the certs you need.
Now the question becomes
Can certbot-auto run with certonly?
So that certbot doesn’t make any changes in the vhost configs.

Yes @rg305 you are understanding is correct.

Maybe @schoen can clarify the answer to such a question.

Thank you for your quick help. I have created a separate topic for the same.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.