Getting "The server could not connect to the client to verify the domain" when trying to renew the certificate

I have created a certificate for a few domains on my server. The creation process went fine, (with the old “letsencrypt-auto” client). Now though I get an error when I try to renew it. For ONE of the domains I get the error

:Attempting to renew cert from /etc/letsencrypt/renewal/xxx.conf produced an unexpected error: 
Failed authorization procedure. doing.fitness (http-01): urn:acme:error:connection :: The server could 
not connect to the client to verify the domain :: Could not connect to . Skipping.

Note that this happens both with the old client and the new certbot. The certificates were created with the webroot procedure with something like the following:

letsencrypt-auto certonly -tvv --keep --webroot -w /usr/share/nginx/www/example.com -d
example.com,test.example.com,test2.example.com,test3.example.com,domain.fitness

Checking the logs I see the following for one of the other domains:

2016-12-28 08:15:13,743:DEBUG:acme.client:Received response <Response [200]> <CUT>
  "validationRecord": [
    {          "url": "http://test.example.com/.well-known/acme-challenge/wBauTFml0ilxUlQt8fA93vA4H_H599oev2_y27r3EBk",\n         
  "hostname": "test.example.com",\n          "port": "80",\n          
  "addressesResolved": [\n            "XXX"\n          ],\n          
  "addressUsed": "XXX"\n        },\n        
{          
  "url": "https://example.com/.well-known/acme-challenge/wBauTFml0ilxUlQt8fA93vA4H_H599oev2_y27r3EBk",
  "hostname": "example.com",\n          "port": "443",\n          
  "addressesResolved": [\n            "XXXX",\n            "XXX"\n          ],\n          
  "addressUsed": "XXXX"\n        }\n      ]\n    },\n    

For the failing domain instead I get the following

2016-12-28 08:15:13,091:DEBUG:acme.client:Received response <Response [200]> <CUR>
"validationRecord": [\n        {\n       
  "url": "http://domain.fitness/.well-known/acme-challenge/Ja_jSnI2TdaauwoOgIitV5ED-p5FKocrE-4NG5D4GKM",\n          
  "hostname": "domain.fitness",\n          "port": "80",\n          
  "addressesResolved": [\n            "XXX",\n            "XXX"\n          ],\n          
  "addressUsed": "XXX"\n        },\n        
{\n          
  "url": "https:///.well-known/acme-challenge/Ja_jSnI2TdaauwoOgIitV5ED-p5FKocrE-4NG5D4GKM",\n          
  "hostname": "",\n          
  "port": "443",\n          
  "addressesResolved": null,\n          
  "addressUsed": ""\n        }\n      ]\n    },\n    {\n      "type": "dns-01",\n      "status": "pending",   
  "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/tEe_4ZwsA5ROkakqWdL7H0hz79oZt9y0azH1RMQWV5M/451645019",\n      
 },\n    

You can see in the second case that the hostname part is missing and the url is clearly wrong. The failing domain differs from the others in two ways:

  • It is a completely different domain (the other all subdomains of the same domain)
  • It is has a fitness TLD

I just tried to remove all configuration and create a new certificate only for the failing domain with certbot client, but it fails again.

How can I fix this ?

Your redirect from HTTP to HTTPS is broken. Let’s Encrypt follows redirects, so it can’t connect. Notice the Location header:

osiris@desktop ~ $ telnet doing.fitness 80
Trying 2a03:f80:ed16:ca7:ea75:b12d:294:b3a6...
Connected to doing.fitness.
Escape character is '^]'.
GET / HTTP/1.1
Host: doing.fitness

HTTP/1.1 301 Moved Permanently
Server: nginx/1.11.3
Date: Wed, 28 Dec 2016 10:15:21 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https:///

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.11.3</center>
</body>
</html>
1 Like

You’re right ! I can’t believe I missed that. Thanks a lot

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.