Please fill out the fields below so we can help you better.
My domain is:
caltech.flint.caltech.edu
I ran this command:
sudo certbot --apache certonly
OR
sudo certbot renew
It produced this output:
Attempting to renew cert from /etc/letsencrypt/renewal/caltech.flint.caltech.edu.conf produced an unexpected error: Failed authorization procedure. caltech.flint.caltech.edu (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 131.215.229.46:443 for TLS-SNI-01 challenge. Skipping.
My operating system is (include version):
OSX El Capitan
My web server is (include version):
Apache 2.2
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes.
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
Three months ago, when I set up a cert for my dev site through Let’s Encrypt, it was a gigantic hassle. So I wasn’t terribly surprised that when my cert expired, it became a hassle again to renew it.
The main problem is that I have to keep my machine strictly firewalled from outside traffic due to company policy. I’ve had to disable it temporarily to allow the LE challenges to get through, but I can’t simply leave it disabled it so that certbot can perform automatic renewal. I need to know from whence I can expect renewal challenges to originate, so I can allow those origins through my firewall.
Unless there’s some other way to pass the challenges that doesn’t require a hole in my firewall? I’ve heard that there are other kinds of challenges, but have had no luck getting them to work. For instance, when I try certbot --apache --preferred-challenges http-01
, I get:
None of the preferred challenges are supported by the selected plugin
What can I do? Self-signed certs are not an option due to certain functionality on my site requiring a real cert to be installed on the server.