Problem With Certbot

Please fill out the fields below so we can help you better.

My domain is: csgo-italia.it

I ran this command: certbot --apache

It produced this output: Which names would you like to activate HTTPS for?

1: csgo-italia.it
2: www.csgo-italia.it
3: novagamer.it
4: www.novagamer.it

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.csgo-italia.it
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.csgo-italia.it (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.csgo-italia.it
    Type: connection
    Detail: Error getting validation data

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): centos 7

The operating system my web server runs on is (include version): centos 7

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @Giuseppe98PG,

When I try to connect to the IP resolved for www.csgo-italia.it on port 443 the connection fails with symptoms usually indicative of a firewall or middle box closing the connection.

Are you aware of anything that might be blocking connections to your server on port 443? That port will need to be accessible for the TLS-SNI-01 challenge (and for HTTPS once you have the certificate!)

Iptables could be a problem?

Yes, certainly possible. Do you have a DROP that might be occurring for this traffic?

yes man. I could make a iptable rule. I do it now.

I get this now

Which names would you like to activate HTTPS for?

1: csgo-italia.it
2: www.csgo-italia.it
3: novagamer.it
4: www.novagamer.it

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):2
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.csgo-italia.it
Waiting for verification…
Cleaning up challenges
Could not reverse map the HTTPS VirtualHost to the original

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/www.csgo-italia.it/fullchain.pem. Your cert
    will expire on 2017-11-30. To obtain a new or tweaked version of
    this certificate in the future, simply run certbot again with the
    "certonly" option. To non-interactively renew all of your
    certificates, run “certbot renew”

why unable to install the certificate?

This means that your certificate was issued and saved in a file (at the location mentioned). However, Certbot wasn’t able to understand your Apache configuration file in order to edit that file and tell Apache to use the certificate.

I don’t know exactly what problem Certbot had in understanding the Apache configuration, but in any case you don’t need to get a new certificate now (the certificate already exists on your system). Maybe you could look at the Apache configuration and see if there is something unusual about it.

One example that caused problems in the past is that Certbot expects that each virtual host will be defined by an individual, separate file. Apache allows you to define multiple virtual hosts within a single file, although this practice is apparently discouraged by more recent documentation. Earlier versions of Certbot could not correctly understand files that define more than one virtual host.

It would be possible to use certbot install to try this process again (maybe after changing the Apache configuration to make it clear to Certbot which file needs to be edited). Alternatively, it would be possible to install the certificate by manually editing Apache configuration files.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.