LE fails to verify a domain - (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain

Hello all,

I’ve been installing and using LE in many servers without any problem but I need help with this issue. I get the following error:
Failed authorization procedure. disc-pre.upcnet.es (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to http://disc-pre.upcnet.es/.well-known/acme-challenge/i4fdweYhip5Y6atva4-5WfMQ38eYS-R052c-ttPi6Kc

I try to generate the (staging) certificate using a script that executes this command:
./letsencrypt-auto certonly --non-interactive --staging --break-my-certs --force-renewal --agree-tos --email=my@email.here --webroot -w /var/www -d disc-pre.upcnet.es

I used a proxy to check the route and it seems accessible from outside, like this:
http://disc-pre.upcnet.es/.well-known/acme-challenge/test

There is a rewrite rule from HTTP to HTTPS in the config file, I think LE follows redirects so I don’t see a problem here. In the 443 config there is other redirect like:
RedirectMatch ^/$ /owncloud/
That I guess is not a problem since we can check the test URL I just gave you, correct me if I’m wrong.

This is the access log related information where we see the different behaviours:
$ cat /var/log/apache2/access.log | fgrep .well-known
66.133.109.36 - - [17/Mar/2016:13:07:59 +0100] “GET /.well-known/acme-challenge/i4fdweYhip5Y6atva4-5WfMQ38eYS-R052c-ttPi6Kc HTTP/1.1” 302 721 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)"
85.17.24.67 - - [17/Mar/2016:11:26:32 +0100] “GET /.well-known/test.html HTTP/1.1” 200 5979 “-” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0”

Any hint, guys? If you need any additional information just tell me.
Thank you in advance.

Redirects should work fine, and IIRC self-signed certificates should also work for http-01.

The only thing I noticed is that your site is currently using is a SHA-1 certificate expiring after 2017, which some browser vendors treat as untrusted. I suppose it’s possible that the CA server is refusing to connect because of that, but that’s just a long-shot and I haven’t seen that issue come up before. If nothing else comes up, try using a self-signed SHA-2 certificate instead (I think that’s -sha256 with openssl).

Thanks for your quick response.
I see your point there, since this is not a production site I will generate a self-signed SHA256 certificate and try it again, now I must go but you will have news about this tomorrow in the morning. :slight_smile:
In the meantime, if someone have any other ideas I’d like to hear them, just in case it is not about the SHA1 thing.

Hello, I’m back.

I will comment the steps I followed because it could be useful for other people:

I generated a self-signed certificate using openssl:
openssl req -x509 -nodes -days 1460 -newkey rsa:2048
-keyout disc-pre.upcnet.es.key
-out disc-pre.upcnet.es.crt

I commented the lines related with the previous certificate, and included the self-signed certificate and the private key. After it I only reloaded apache, checked that now I could see a certificate warning (that means now the self-signed cert is there) and I ran my script the same way I tried yesterday.

I forgot to remove the debug flags, so I got an unexpected error (because the CA was “happy hacker fake CA” :P) but after removing them, I just changed the config to the cert, pk, chain of LE and now it works like a charm!

Thank you very much.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.