fwal/LoadBalancer - Failed to connect to ...:443 for TLS-SNI-01 challenge


#1

Hello,

sudo certbot --apache

The following errors were reported by the server:

Domain: notifications.edenred.be
Type: connection
Detail: Failed to connect to 91.134.165.49:443 for TLS-SNI-01
challenge

OS : debian 8.5 / apache 2.4
hoster : ovh

certbot tries to reach my domain on port 443 while it did not install the certificate on my front end yet
this does not make any sens !!

details :

I have setup a load balancer for 3 web front ends on a pfsense firewall (port 80)

I have duplicated the same setup for port 443 (load balancer + firewall rules)

I already did this for another machine without firewall and it works fine

please help, I cannot find any tips for doing this behind a fwall/LB

thanks


#2

try adding “–preferred-challenges http01” onto your command, to instruct certbot to try using port 80 (http) rather than https (443).

You will need to either ensure that all the requests for anything in .well-known/acme-challenge are forwarded to one specific system, or you will need to ensure the token is copied to all three servers.

Alternatively, you may be better using the DNS-01 challenge in a load balanced scenario.


#3

sudo certbot --apache --preferred-challenges http01
An unexpected error occurred:
ArgumentTypeError: Unrecognized challenges: http01
Please see the logfile ‘certbot.log’ for more details.
eradmin@naboo:~$ sudo certbot --apache --preferred-challenges http01


#4

sorry - there should be a hyphen between http and 01 ( http-01 )


#5

None of the preferred challenges are supported by the selected plugin


#6

I see from the logs, it tries with a temporary certificate
if I could at least pause it to check if my fwall rules are ok


#7

using the tls challenge, it does create a temporary certificate, yes.


#8

yes but it goes too fast for me to check the fwall settings


#9

For checking the firewall settings, you could just create a self signed cert, and temporarily add that.


#10

guess I have no other coice :slight_smile:


#11

after setting up a cert I found I had to add another rule to my firewall, does not make sens but it works

but when I rerun certbot, I get

Domain: notifications.edenred.be
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
a37e1e9e5aeb019fa0efc81f71e7bbf8.796906e6f1b2b00dbb0f99ab9c1a4206.acme.invalid
from 91.134.165.49:443. Received certificate containing ‘’

[edit : the added rule points to the fwall itself, so it does not work, f@#king pfsense]


#12

ok, for some reason my vhost tag had the domain name in it instead of *.80

once that changed , the firewall started to see the SSL on the box

I certboted all 3 boxes (enable one at a time in the loadbalancer of course)

so far so good

thanks for the help :wink:


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.