Lets Encrypt connection error during tls-sni-01

My domain is:


I ran this command:

./certbot-auto --debug

It produced this output:

Requesting root privileges to run certbot...
  /home/ec2-user/.local/share/letsencrypt/bin/letsencrypt --debug
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
1: ****.com
2: www.****.com
3: ****.co
4: www.****.co
5: dustindoloff.com
6: **.dustindoloff.com
7: test.dustindoloff.com
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 5
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for dustindoloff.com
Waiting for verification...
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/home/ec2-user/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 743, in main
    return config.func(config, plugins)
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 598, in run
    certname, lineage)
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 82, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 356, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 317, in obtain_certificate
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/home/ec2-user/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. dustindoloff.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data
Please see the logfiles in /var/log/letsencrypt for more details.
 - The following errors were reported by the server:

   Domain: dustindoloff.com
   Type:   connection
   Detail: Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):

Server version: Apache/2.4.25 (Amazon)
Server built:   Jan 19 2017 16:55:49

The operating system my web server runs on is (include version):

Amazon Linux 2017

Linux ip-XXX-XXX-XXX-XXX 3.14.48-33.39.amzn1.x86_64 #1 SMP Tue Jul 14 23:43:07 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:


I can login to a root shell on my machine (yes or no, or I don’t know):


I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


I have uploaded the logs from here


What I’ve done to troubleshoot:

  • Try an individual domain instead of all at once
  • Verify the security group for the EC2 instance is correct and allows incoming requests on port 443 from all IP addresses
  • Verify the IP address in the logs matches the public IP address of the domain

As there is no current response on port 443…
You could try:
./certbot–auto --apache --debug
or maybe use webroot parameter

I ended up manually configuring my httpd.conf, which I was hoping to avoid by using the tool, but now everything is setup, albeit more manually than I was hoping for. I never did figure out why it couldn’t verify it with apache, but switched to --standalone and used certonly to get the cert

For anyone out there reading this to debug for themselves

To get the register the domain with certbot I did:

$ sudo ./certbot-auto --debug certonly

To verify the domain and actually get the cert:

$ sudo ./certbot-auto --debug --standalone --installer apache

I found that I also had issues where my manual configuration of the certs would cause apache to fail to start, so I would have to comment out the SSLCertificateFile and SSLCertificateKeyFile lines in order to get certbot far enough forward to actually download the cert.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.