I have been using letsencrypt / certbot successfully since January 2017 and very much appreciate the project.
I set up a cron job for my renewals some time ago and everything has been working well so far.
However, recently the cron job has been failing and sending me emails with the following error details for all of the subdomains.
My domain is: https://wolke.xxxxxxxxxxx.de:9443 https://baikal.xxxxxxxxxxx.de:8443
These are set up as different virtual hosts on the apache server.
The ports are directed to my server. Everything working fine so far.
In addition I opened port 443 just to check wether this is the issue. But the output is all the same.
I ran this command: sudo letsencrypt renew (after the cronjob failed)
It produced this output:
Failed authorization procedure. wolke.xxxxxxxxxx.de (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data, baikal.xxxxxxxxxxx.de (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
Domain: wolke.xxxxxxxxxx.de
Type: connection
Detail: Error getting validation data
Domain: baikal.xxxxxxxxxx.de
Type: connection
Detail: Error getting validation data
My web server is (include version): Apache 2.4.18
The operating system my web server runs on is (include version): Ubuntu 16.04.2
My hosting provider, if applicable, is: self hosted
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Redacting the domain name makes it harder to investigate possible reasons for this problem. One likely one could be that you have an IPv6 address advertised via an AAAA record in DNS, but that the server isn’t actually responding to connections via IPv6.
Also, depending on the validation method, the Let’s Encrypt CA does need to use inbound ports 443 or 80 to connect to the service, in order to confirm your control over the domain name.
As I already mentioned those ports are directed to the server. I
additionally opened port 443 to see if that one is missing. Port 80
is/was closed.
The subdomains are directed via cname records to a dyndns service
(myfritz) which redirects to my ipv4 address.
This setting worked so far. Only renewing does not work this time…
The port 443 being closed is probably a big part of the problem; the TLS-SNI-01 validation always happens on port 443. If you do have some kind of NAT or IP address sharing, you will probably also need to ensure port 443 on your router or firewall is forwarded to the server that hosts these services. (I’m assuming that it’s the same physical server.)
It is strange that it worked in the first place (for the initial issuance) because TLS-SNI-01 validation always requires the use of port 443.
your hint with port 443 got me back on track. Thank you!!
I thought I opened port 443 in my router (fritzbox 6360) but in fact the router UI only made me believe I did. In fact it wasn’t opened due to another (inactive!) firewall rule which conflicted. But no error message at all. Everything looked fine.
I scanned for open ports from the outside and realized that port 443 was not open actually. After deleting the (inactive!) conflicting rule I could open port 443 and renewing certs was no problem than.
I will tell the router manufacturer AVM about that strange behaviour…
Thanks again and have a nice day!