Made an easy to use auto renewing library for node. Hope it can help some people! https://github.com/DylanPiercey/auto-sni
1 Like
If I can take a guess, I would think that youāre curling the wrong port. Have you tried hitting your server from a web browser?
Hi there.
These appear to be the droids Iām looking for - Iāve got an ExpressJS Server serving HTTPS with self-signed certs.
How do I swap these certificates from being my self-signed ones to some lovely legitimate LE certs? Iāve got the client. I ran
sudo ./letsencrypt-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com
ā¦and I got
Domain: www.example.com Type: connection Detail: Could not connect to http://www.example.com/.well-known/acme- challenge/JjzCP_GNccpNiBQggFziPD9kYhdRR2diEOhtWtkjwtc
So I checked out /var/www/example/.well-known with ls -al /var/www/example/.well-known and got . ..
So I started Googling and found this thread and itās OP, which looked like the code this problem is preventing me from writing (I guess itās obvious I currently donāt serve a ca as Iām self-signed?).
How come I Could not connect to http://www.na-n.xyz/.well-known/acme-challenge/JjzCP_GNccpNiBQggFziPD9kYhdRR2diEOhtWtkjwtc ?
FWIW Iām doing this on a Raspi running Jessie, which has a static IP on the local network, and it also takes care of DNS. Also there isnāt a port 80 -> port 443 re-route or anything, and this is the only port I forward from the router.
Please help!
Edit: I did some more reading of this thread, and I donāt want to open port 80 so I killed my server and used standalone and port 443 - letsencrypt certonly --standalone --standalone-supported-challenges tls-sni-01 -w /var/www/example/ -d www.example.com -d example.com
And I got
sudo /home/username/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --standalone-supported-challenges tls-sni-01 -w /var/www/example/ -d www.example.com -d example.com Failed authorization procedure. www.example.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge.
What does that mean? - Reading the āTo fix these errorsā - I can still connect to the website and put up with certificate errors, so the DNS mapping is correctā¦?
You do have port 80 forwarded, right? LE checks http://foo.baz/whatever, which implies port 80 unless you have a redirect in place.
[quote=āna-n, post:23, topic:5175ā]
-standalone-supported-challenges tls-sni-01
[/quote] - I thought that implied HTTP -> 443 ?
ā¦ My DNS Certificates arenātā¦ quiteā¦ right? - I dropped the www. from the list of domains and it worked - I got certs! Remembered who I bought my DNS records from, and I have an A-Record that seems to be out of date. Dāoh!
https is 443. Glad you got it working.
i was successfully able to get the certificates and while opening my domain it shows the green lock. But when i opened using my ip address it went showed the certificates are not verified. Also when i tried opening the domain from my mobile chrome client it even showed the certificates are invalid.
is it because of certificates ?
Letās Encrypt doesnāt issue certificate for IP addresses, only domain names. Youāll have to access your site through your domain name if you want to avoid the browser warning.
The issue with Chrome sounds like a problem with your certificate chain. You can use SSL Labs on your domain to spot any errors - look for āChain issuesā. Make sure that youāre using fullchain.pem (and not just cert.pem) in your configuration.