Made an easy to use auto renewing library for node. Hope it can help some people! https://github.com/DylanPiercey/auto-sni
If I can take a guess, I would think that you’re curling the wrong port. Have you tried hitting your server from a web browser?
These appear to be the droids I’m looking for - I’ve got an ExpressJS Server serving HTTPS with self-signed certs.
How do I swap these certificates from being my self-signed ones to some lovely legitimate LE certs? I’ve got the client. I ran
sudo ./letsencrypt-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com
…and I got
Domain: www.example.com Type: connection Detail: Could not connect to http://www.example.com/.well-known/acme- challenge/JjzCP_GNccpNiBQggFziPD9kYhdRR2diEOhtWtkjwtc
So I checked out /var/www/example/.well-known with
ls -al /var/www/example/.well-known and got
So I started Googling and found this thread and it’s OP, which looked like the code this problem is preventing me from writing (I guess it’s obvious I currently don’t serve a ca as I’m self-signed?).
How come I
Could not connect to http://www.na-n.xyz/.well-known/acme-challenge/JjzCP_GNccpNiBQggFziPD9kYhdRR2diEOhtWtkjwtc ?
FWIW I’m doing this on a Raspi running Jessie, which has a static IP on the local network, and it also takes care of DNS. Also there isn’t a port 80 -> port 443 re-route or anything, and this is the only port I forward from the router.
Edit: I did some more reading of this thread, and I don’t want to open port 80 so I killed my server and used standalone and port 443 -
letsencrypt certonly --standalone --standalone-supported-challenges tls-sni-01 -w /var/www/example/ -d www.example.com -d example.com
And I got
sudo /home/username/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --standalone-supported-challenges tls-sni-01 -w /var/www/example/ -d www.example.com -d example.com Failed authorization procedure. www.example.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge.
What does that mean? - Reading the ‘To fix these errors’ - I can still connect to the website and put up with certificate errors, so the DNS mapping is correct…?
You do have port 80 forwarded, right? LE checks http://foo.baz/whatever, which implies port 80 unless you have a redirect in place.
[quote=“na-n, post:23, topic:5175”]
[/quote] - I thought that implied HTTP -> 443 ?
… My DNS Certificates aren’t… quite… right? - I dropped the www. from the list of domains and it worked - I got certs! Remembered who I bought my DNS records from, and I have an A-Record that seems to be out of date. D’oh!
https is 443. Glad you got it working.
i was successfully able to get the certificates and while opening my domain it shows the green lock. But when i opened using my ip address it went showed the certificates are not verified. Also when i tried opening the domain from my mobile chrome client it even showed the certificates are invalid.
is it because of certificates ?
Let’s Encrypt doesn’t issue certificate for IP addresses, only domain names. You’ll have to access your site through your domain name if you want to avoid the browser warning.
The issue with Chrome sounds like a problem with your certificate chain. You can use SSL Labs on your domain to spot any errors - look for “Chain issues”. Make sure that you’re using
fullchain.pem (and not just
cert.pem) in your configuration.