No success with LE auto or webroot yet - could not connect to the client for DV


#1

Hi all,

Thanks to the development team for the exciting LE initiative.

My domains having been whitelisted and I’ve been trying for a couple of days now to get this thing working but to no avail.

I’ve run the LE auto a couple of times with the apache plugin without success and tried today, after many searches on this forum, with the webroot and cli.ini file set up using ./letsencrypt --config /etc/letsencrypt/cli.ini auth.

I end up with errors such as “Failed to connect to host for DVSNI challenge” using apache plugin and today using webroot “The server could not connect to the client for DV” and “Could not connect to http://my.domain.co.uk/.well-known/acme-challenge/blah,blah,blah …”

I’m running the sites on Debian jessie with apache 2.4. I’ve checked my DNS which seems OK and can curl to the sites from my laptop at home.

I am tearing my hair out now so would really appreciate some pointers.

Thanks in advance.

Richard.


#2

Could you post the exact command you used for webroot, your cli.ini file, and the entire output of that command?

Try appending --verbose as well, that might show more relevant details.


#3

HI,

I used ./letsencrypt --config /etc/letsencrypt/cli.ini auth --verbose

cli.ini:

text = True
rsa-key-size = 4096
email = myemail@gmail.com
authenticator = webroot
webroot-path = /var/www/cirrus.glynos.co.uk
server = https://acme-v01.api.letsencrypt.org/directory
domains = cirrus.glynos.co.uk
renew-by-default = True
agree-dev-preview = True

Output:

2015-11-19 21:14:24,076:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2015-11-19 21:14:24,223:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-19 21:14:31,166:INFO:letsencrypt.crypto_util:Generating key (4096 bits): /etc/letsencrypt/keys/0011_key-letsencrypt.pem
2015-11-19 21:14:31,274:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0011_csr-letsencrypt.pem
2015-11-19 21:14:31,277:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-19 21:14:31,505:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-19 21:14:32,682:INFO:letsencrypt.auth_handler:Performing the following challenges:
2015-11-19 21:14:32,682:INFO:letsencrypt.auth_handler:http-01 challenge for cirrus.glynos.co.uk
2015-11-19 21:14:32,813:INFO:letsencrypt.auth_handler:Waiting for verification…
2015-11-19 21:14:32,829:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-19 21:14:36,072:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-19 21:14:39,268:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-19 21:14:39,479:INFO:letsencrypt.reporter:Reporting to user: The following ‘connection’ errors were reported by the server:

Domains: cirrus.glynos.co.uk
Error: The server could not connect to the client for DV

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client.
2015-11-19 21:14:39,480:INFO:letsencrypt.auth_handler:Cleaning up challenges
Failed authorization procedure. cirrus.glynos.co.uk (http-01): connection :: The server could not connect to the client for DV :: Could not connect to http://cirrus.glynos.co.uk/.well-known/acme-challenge/ape8p6WMJR9ZCWqYoOSnb4D2KFY4q_Mc_ptkNxYjiuM

IMPORTANT NOTES:

  • The following ‘connection’ errors were reported by the server:

    Domains: cirrus.glynos.co.uk
    Error: The server could not connect to the client for DV

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client.


#4

I’m unable to connect to cirrus.glynos.co.uk on port 80.

Let’s Encrypt needs to be able to connect to a web server on your domain to verify you are authorized to request certificates for that domain. This connection attempt is initiated by a server in Let’s Encrypt’s network (and not by the letsencrypt client you’re running on your server), so you need to make sure it’s publicly routed.

I’m guessing this is some kind of firewall issue, maybe a country block list or something like that.