fwal/LoadBalancer - Failed to connect to ...:443 for TLS-SNI-01 challenge

phil123456 · January 31, 2017, 1:44pm

Hello,

sudo certbot --apache
...
The following errors were reported by the server:

Domain: notifications.edenred.be
Type: connection
Detail: Failed to connect to 91.134.165.49:443 for TLS-SNI-01
challenge

OS : debian 8.5 / apache 2.4
hoster : ovh

certbot tries to reach my domain on port 443 while it did not install the certificate on my front end yet
this does not make any sens !!

details :

I have setup a load balancer for 3 web front ends on a pfsense firewall (port 80)

I have duplicated the same setup for port 443 (load balancer + firewall rules)

I already did this for another machine without firewall and it works fine

please help, I cannot find any tips for doing this behind a fwall/LB

thanks

serverco · January 31, 2017, 1:49pm

try adding “–preferred-challenges http01” onto your command, to instruct certbot to try using port 80 (http) rather than https (443).

You will need to either ensure that all the requests for anything in .well-known/acme-challenge are forwarded to one specific system, or you will need to ensure the token is copied to all three servers.

Alternatively, you may be better using the DNS-01 challenge in a load balanced scenario.

phil123456 · January 31, 2017, 1:50pm

sudo certbot --apache --preferred-challenges http01
An unexpected error occurred:
ArgumentTypeError: Unrecognized challenges: http01
Please see the logfile ‘certbot.log’ for more details.
eradmin@naboo:~$ sudo certbot --apache --preferred-challenges http01

serverco · January 31, 2017, 1:51pm

sorry - there should be a hyphen between http and 01 ( http-01 )

phil123456 · January 31, 2017, 1:51pm

None of the preferred challenges are supported by the selected plugin

phil123456 · January 31, 2017, 1:52pm

I see from the logs, it tries with a temporary certificate
if I could at least pause it to check if my fwall rules are ok

serverco · January 31, 2017, 1:53pm

using the tls challenge, it does create a temporary certificate, yes.

phil123456 · January 31, 2017, 1:57pm

yes but it goes too fast for me to check the fwall settings

serverco · January 31, 2017, 1:58pm

For checking the firewall settings, you could just create a self signed cert, and temporarily add that.

phil123456 · January 31, 2017, 2:02pm

guess I have no other coice

phil123456 · January 31, 2017, 2:37pm

after setting up a cert I found I had to add another rule to my firewall, does not make sens but it works

but when I rerun certbot, I get

Domain: notifications.edenred.be
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
a37e1e9e5aeb019fa0efc81f71e7bbf8.796906e6f1b2b00dbb0f99ab9c1a4206.acme.invalid
from 91.134.165.49:443. Received certificate containing ''

[edit : the added rule points to the fwall itself, so it does not work, f@#king pfsense]

phil123456 · February 1, 2017, 7:50am

ok, for some reason my vhost tag had the domain name in it instead of *.80

once that changed , the firewall started to see the SSL on the box

I certboted all 3 boxes (enable one at a time in the loadbalancer of course)

so far so good

thanks for the help

system · March 3, 2017, 7:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.