Problem getting a certificate

iamsram · July 4, 2017, 5:09am

Hi,
I am trying to get an SSL certificate and I’m running into the error below. I’ll appreciate any help. Thanks.

Please fill out the fields below so we can help you better.

My domain is: joojip.com

I ran this command:sudo certbot --nginx

It produced this output: Failed authorization procedure. temp.joojip.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

My web server is (include version): Server: nginx/1.10.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 16.04.2 LTS/xenial

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

rg305 · July 4, 2017, 10:16pm

have you reviewed the user guide: User Guide — Certbot 2.7.0.dev0 documentation

uses TLS-SNI-01 for authorization.
but there is no TLS found at that name/IP.

Either your vhost :443 settings are misconfigured or you should be using http-01.

schoen · July 4, 2017, 11:41pm

It’s also possible that there’s a firewall or something that blocks inbound connections on port 443 (that you might not have noticed before because you weren’t using HTTPS before for anything).

iamsram · July 7, 2017, 8:06am

Hi, Thanks for pointing me towards firewall blocking 443. Now, port 443 is open, but I am getting a different error when I run certbot --nginx. Its now saying

Failed authorization procedure. temp.joojip.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data

Here's my nginx config:

server {
listen 443 default_server ssl;
server_name temp.joojip.com;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

location / {
proxy_redirect off;
proxy_pass http://localhost:8080;
client_max_body_size 20m;
}
}

server {
listen 80;
server_name temp.joojip.com;
location / {

proxy_pass http://localhost:8080;
}

Thanks in advance

schoen · July 7, 2017, 5:59pm

@jsha, can you tell me what circumstances can cause this error message from Boulder after the most recent update/reorganization on the Boulder side?

jsha · July 7, 2017, 6:46pm

“Error getting validation data” is a catch-all for errors that we don’t specifically handle and turn into something nicer. Looking at the logs, I see that this particular example was “read: connection reset by peer.” That’s worth turning into a more informative error.

schoen · July 7, 2017, 7:21pm

@iamsram, it seems like you have some pre-existing problem with your setup because https://temp.joojip.com/ doesn’t work in a browser and also doesn’t work with openssl s_client -connect temp.joojip.com:443 and similar commands.

Do you have any errors in your nginx logs? Or trouble with a firewall or something that prevents inbound connections on port 443?

ahaw021 · July 8, 2017, 1:22pm

This won't work

Looks like you are proxying to an HTTP endpoint.

You will need to configure a self signed certificate at least for the TLS-SNI challenge to work

Otherwise try using the webroot challenge (using HTTP to serve a file)

Andrei

rg305 · July 9, 2017, 8:54pm

Unless there is an include somewhere…
The vhost conf seems to be missing:
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

system · August 8, 2017, 8:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.