Often fails with Failed to connect to host for DVSNI challenge, works sometime

Hi forum,
As the title says, can someone help me understand why this ( it works sometimes but I have to be very persistent and keep trying over and over)

in the following logs I’m replacing my real domain name with domain.com and the real IP with 100.200.150.50…

It would be really great if someone can help with this
I’m trying to automate my script so I dont have to run it manually everytime

1. create a new instance
2. add the instance IP to the A records (60s TTL) for my domain
3. wait 5 minutes for DNS
4. run the script in standalone mode

below are my details:

#echo $IPV4
100.200.150.50

#echo $DOMAIN
domain.com

nothing running on port 80 or 443
#netstat -na | grep :80.*LISTEN
#echo $?
1

#netstat -na | grep :443.*LISTEN
#echo $?
1
**making sure my IP exists ( using google NS ) **
#dig $DOMAIN @8.8.8.8 | grep $IPV4
domain.com. 59 IN A 100.200.150.50

sudo git clone github.com/letsencrypt/letsencrypt /opt/letsencrypt
cd /opt/letsencrypt

/root/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade --agree-tos certonly --renew --text --email email@domain.com --standalone --server https://acme-staging.api.letsencrypt.org/directory --verbose --renew-by-default -d domain.com
2016-02-15 08:40:53,535:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-02-15 08:40:53,618:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-02-15 08:40:53,942:INFO:letsencrypt.cli:Auto-renewal forced with --force-renewal…
2016-02-15 08:40:54,208:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0028_key-letsencrypt.pem
2016-02-15 08:40:54,212:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0028_csr-letsencrypt.pem
2016-02-15 08:40:54,215:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-02-15 08:40:54,325:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-02-15 08:40:54,451:INFO:letsencrypt.auth_handler:Performing the following challenges:
2016-02-15 08:40:54,451:INFO:letsencrypt.auth_handler:tls-sni-01 challenge for domain.com
2016-02-15 08:40:54,473:INFO:letsencrypt.auth_handler:Waiting for verification…
2016-02-15 08:40:54,481:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-02-15 08:40:57,630:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-02-15 08:41:00,742:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-02-15 08:41:00,850:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:

Domain: domain.com
Type: connection
Detail: Failed to connect to host for DVSNI challenge

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2016-02-15 08:41:00,851:INFO:letsencrypt.auth_handler:Cleaning up challenges
Failed authorization procedure. domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: domain.com
  Type: connection
  Detail: Failed to connect to host for DVSNI challenge

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you’re using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

I appreciate your help in advance
Thank you

can one help here?
I’m still struggling with the same isssue.
I also noticed that when I have a server that is down in the list of A records of the domain I’m trying to get the cert for, I’d get zName unauthorized error
that I was able to fix by taking the server down out of the A records, but my main issue with the DVSNI error persist and is annoying 70% of the time it would fail, but then sometimes it would just work after trying the script over and over

experts…
can somebody help me with this issue here?

The error looks like you have an issue with your dns setup. Provide your real domain name or I don’t think anyone would be able to help you.

Hi Nit, Thanks for the reply

Honestly, with or without the real ip and domain , i don’t think it should make a difference.
the full log has a string replace … ( so domain a could be mydomain.com or yourdomain.com )
I don’t think it matters

if you need more information I can still send it …
unless I’m missing something i believe I satisfied all the requirements , the proof is that the process works sometimes ( 30% of the times )

• the requirement that the server where I run the script is in the domain as an A record is satisfied:
  > dig $DOMAIN @8.8.8.8 | grep $IPV4
  domain.com. 59 IN A 100.200.150.50
• the requirement that the port 80 is free is also satisfied
  *>netstat -na | grep :80.LISTEN
  >echo $?
  1
• same for port 443
  *>netstat -na | grep :443.LISTEN
  >echo $?
  1

@louatia: As the intro text says when you first post, it’s very helpful to provide your real domain name. Your domain name is already made public in the CT logs, so hiding it doesn’t really keep anything private, and makes it harder for people to help you.