(http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain

Help
1

My domain is: hamishwest.xyz

I ran this command: sudo certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/hamishwest.xyz.conf

Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for hamishwest.xyz
http-01 challenge for mail.hamishwest.xyz
http-01 challenge for www.hamishwest.xyz
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge
Attempting to renew cert from /etc/letsencrypt/renewal/hamishwest.xyz.conf produced an unexpected error: Failed authorization procedure. hamishwest.xyz (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://hamishwest.xyz/.well-known/acme-challenge/rGDq0UCb8M2INKu-cQrk_U4R1BR_Bu1ZLaBOfkyKMbE: Connection refused, www.hamishwest.xyz (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.hamishwest.xyz/.well-known/acme-challenge/WQ7B6WGU223uJ0PtnW-15JW-zBU-rplLxd4damjPOQs: Connection refused, mail.hamishwest.xyz (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.hamishwest.xyz/.well-known/acme-challenge/mVr_amE3JU8lwfo9z9CroXTSIIVXIcPm2DkgdqUWgKM: Connection refused. Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/hamishwest.xyz/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version): Apache/2.4.25 (Raspbian)

The operating system my web server runs on is (include version): Raspbian GNU/Linux 9 (stretch)

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

.well-know/acme-challenge are all set to 755 with root ownership, and I verified that I am able to access files stored in those directories.
Thanks in advance!

2

What authenticator are you using? Can you show the contents of /etc/letsencrypt/renewal/hamishwest.xyz.conf ?

3

Hi @TN-1

when calling your file

http://hamishwest.xyz/.well-known/acme-challenge/rGDq0UCb8M2INKu-cQrk_U4R1BR_Bu1ZLaBOfkyKMbE

I get a 403 - Forbidden. Normally, I should get the file or a 404. So Letsencrypt may be unable to get the file.

So I can't confirm

this. Did you test this per command line using special rights?

4

Hi @_az, Webroot.
hamishwest.xyz.conf:

# renew_before_expiry = 30 days
version = 0.10.2
archive_dir = /etc/letsencrypt/archive/hamishwest.xyz
cert = /etc/letsencrypt/live/hamishwest.xyz/cert.pem
privkey = /etc/letsencrypt/live/hamishwest.xyz/privkey.pem
chain = /etc/letsencrypt/live/hamishwest.xyz/chain.pem
fullchain = /etc/letsencrypt/live/hamishwest.xyz/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
installer = apache
account = 27cd9256103492fd226d7651fb8da477
renew_hook = sh /root/bin/certbot-renew
[[webroot_map]]
www.hamishwest.xyz = /var/www/html
mail.hamishwest.xyz = /var/www/html
hamishwest.xyz = /var/www/html

Hi @JuergenAuer, That was my bad. I had a https rewrite in my .htaccess which I disabled for my test, then reenabled without thinking. With it disabled, the link you mentioned comes with the 404 you expect.

5

Yes, now I get the 404. But a rewrite http -> https should work, it should not produce a 403. Is it possible that there are other rewrite - rules or redirects?

https://hamishwest.xyz/.well-known/acme-challenge/rGDq0UCb8M2INKu-cQrk_U4R1BR_Bu1ZLaBOfkyKMbE works (with 404), the certificate is valid from 2018-04-25 to 208-07-24.

normally indicates, that the webserver can't create a correct connection. Wrong redirects, too many etc.

6

The https redirect was the only rule in my .htaccess, my server has no redirects, symbolics or anything like that.
This is my apache conf, if it helps:

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

    AliasMatch ^/.well-known/acme-challenge/(.*)$ /var/www/html/.well-known/acme-challenge/$1
    Alias /.well-known/acme-challenge/ /var/www/html/.well-known/acme-challenge/
    <Directory "/var/www/html/.well-known/acme-challenge/">
            Options None
            AllowOverride None
            ForceType text/plain
            RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
    </Directory>
7

I don't understand your configuration.

If this

is your document root, a GET (browser, Letsencrypt) of

http://hamishwest.xyz/.well-known/acme-challenge/123456789

should send the content of

/var/www/html/.well-known/acme-challenge/123456789

if this file exists. This is the definition of "DocumentRoot". So you don't need the AliasMatch/Alias - rows.

Your Redirect

answers with 404, if Letsencrypt wants to get your file. The token = filename has 43 characters.

8

Honestly, im a programmer, not a sysadmin so this stuff isnt my strong suit at all. For what it is worth though, I didnt add any of that stuff myself, I believe certbot added those lines. Only the ServerAdmin, DocRoot and Log lines are configs that I added.

9

Also, it seems that the auto-renew has worked, I just got a new cert.
So whatever the issue is, it only affects a manual certbot run.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.