Getting Started problems (on Apache on CentOS 6.7)


#1

After hearing more good things about this project on the “Security Now” podcast I finally decided to give it a shot. The host I have happens to be CentOS 6.7. I am giving feedback 'cos that is how projects improve, and see through the eyes of newbie users:

Hoping to “stand on the shoulders of giants” I tried just poking / prodding at the command line, but quickly ended up at the website 'cos I had no idea where to start. I still struggle to know how to find clear understanding of the various command-line options (I just could not lookup “standalone”, nor do I now know what that means verse webroot or manual.)

The problems I ran into where:

  1. Did not appear to support CentOS 6.7’s Python 2.6 (but then, after warning, it seemed to run.)
  2. Could not get from yum, but got from github. Still not sure what the “-auto” means (but I assume for dummies, like me.)
  3. When I ran with “apache” it gave me a whole message blurb with undefined terms, which I assume meant it could not read the apache configuration to determine a list of hosts. (This HTTPD doesn’t have a sites subdirectory.) Ok, understood … passing -d www.neukadye.com (didn’t immediately think to pass -d neukadye.com as well, eventually did.) BTW: Error messages might be simpler if they suggested “maybe the Apache format is not supported, or something”.
  4. Wouldn’t accept my email address (despite trying the one I signed up to her with, and my Gmail.) Not quite sure how I got past that, but it finally seemed to work.
  5. After Googling I finally try the standalone approach per community reference, which seemed to make sense if my HTTPD configuration was old style / not supported.
  6. Complained it could not listen on 80, ok … makes sense, I’d missed that, stopped HTTPD.
  7. Finally got stuck here:

Failed authorization procedure. neukadye.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge, www.neukadye.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: neukadye . com
Type: connection
Detail: Failed to connect to host for DVSNI challenge

Domain: www . neukadye . com
Type: connection
Detail: Failed to connect to host for DVSNI challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

I’ve installed DNS tools and confirmed the nslookup of the domain works to it’s IP, and I’ve futzed with the firewall settings to allow 443 (if that helps, except I believe this step is using 80.)

Any pointers on what to try next would be appreciated. (Note: I looked at the letsencrpyt.log file but for some reason it only includes a time when I attempt a --dry-run and it said that option was not available for my command.)

Clearly it appears like I have an inbound problem, from server back to this client, but I cannot think how and / or what I could try. Thanks in advance for any assistance.

Addendum:
Ok. … I’ve tried to share my command line history, and reference the sites I read to get here, but your system is treating me as a spammer and disallowing links or attachment. I give in. :frowning:


#2

BTW: The spacing on www . domainname . com was to try to be allowed to submit the posting, despite the two link limit. There were no spaces in the original attempts.


#3

Reading other thread I’ve tried with -t and -vvvv:

$ ./letsencrypt-auto certonly --standalone --email ____ @ neukadye.com -d neukadye.com -d www.neukadye.com -t -vvvv

Some seemingly salient messages:

Some good:

2016-04-28 10:40:23,185:DEBUG:acme.client:Received response <Response [200]>

Some not good:

2016-04-28 10:40:23,187:DEBUG:acme.challenges:dns-01 was not recognized, full message:


#4

Ignore the message about the dns-01 challenge, that’s just because the official client doesn’t use that yet. The tls-sni-01 challenge does use port 443.

Looking at your server it appears that you haven’t got the firewall right as it’s still blocking port 443, (port 80 is allowed but the server isn’t running).


#5

Thanks for the reply.

I’ve got this setting in iptables:

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

but I don’t grok iptables config :-/
… think I should do more research on that?

What tool should I use to test 443 remotely? Simply a browser?


#6

That rule looks right, did you put it in the config file without reloading it?

For testing nmap would be the best tool to use, otherwise telnet.

nmap -p 80,443 neukadye.com

EDIT: Just checked it again and it looks like the firewall is now allowing port 443.


#7

I went old school. :slight_smile: I found the iptables config file I’d saved before tinkering, I restored to that, restarted iptables service, checked I wasn’t locked out :-), then did exactly what it says NOT to do :slight_smile: … I copied/pasted the 80 line to be a 443 line (with the extra “state parts” the 80 line had) and after service restart it now allows 443. (As you observed.)

The letsencrypt script then worked and generated me a certificate.

Thank you for the pointer! Much appreciated.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.