fwal/LoadBalancer - Failed to connect to ...:443 for TLS-SNI-01 challenge

Help
1

Hello,

sudo certbot --apache
...
The following errors were reported by the server:

Domain: notifications.edenred.be
Type: connection
Detail: Failed to connect to 91.134.165.49:443 for TLS-SNI-01
challenge

OS : debian 8.5 / apache 2.4
hoster : ovh

certbot tries to reach my domain on port 443 while it did not install the certificate on my front end yet
this does not make any sens !!

details :

I have setup a load balancer for 3 web front ends on a pfsense firewall (port 80)

I have duplicated the same setup for port 443 (load balancer + firewall rules)

I already did this for another machine without firewall and it works fine

please help, I cannot find any tips for doing this behind a fwall/LB

thanks

2

try adding ā€œā€“preferred-challenges http01ā€ onto your command, to instruct certbot to try using port 80 (http) rather than https (443).

You will need to either ensure that all the requests for anything in .well-known/acme-challenge are forwarded to one specific system, or you will need to ensure the token is copied to all three servers.

Alternatively, you may be better using the DNS-01 challenge in a load balanced scenario.

3

sudo certbot --apache --preferred-challenges http01
An unexpected error occurred:
ArgumentTypeError: Unrecognized challenges: http01
Please see the logfile ā€˜certbot.logā€™ for more details.
eradmin@naboo:~$ sudo certbot --apache --preferred-challenges http01

4

sorry - there should be a hyphen between http and 01 ( http-01 )

5

None of the preferred challenges are supported by the selected plugin

6

I see from the logs, it tries with a temporary certificate
if I could at least pause it to check if my fwall rules are ok

7

using the tls challenge, it does create a temporary certificate, yes.

8

yes but it goes too fast for me to check the fwall settings

9

For checking the firewall settings, you could just create a self signed cert, and temporarily add that.

10

guess I have no other coice :slight_smile:

11

after setting up a cert I found I had to add another rule to my firewall, does not make sens but it works

but when I rerun certbot, I get

Domain: notifications.edenred.be
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
a37e1e9e5aeb019fa0efc81f71e7bbf8.796906e6f1b2b00dbb0f99ab9c1a4206.acme.invalid
from 91.134.165.49:443. Received certificate containing ''

[edit : the added rule points to the fwall itself, so it does not work, f@#king pfsense]

12

ok, for some reason my vhost tag had the domain name in it instead of *.80

once that changed , the firewall started to see the SSL on the box

I certboted all 3 boxes (enable one at a time in the loadbalancer of course)

so far so good

thanks for the help :wink:

1 Like
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.