Problem with DVSNI challenge

I’m having similar issue “Failed to connect to host for DVSNI challenge” while using “letscrypt-auto renew”. When I first was creating those certs it wasn’t easy as well, needed to retry many times but eventually it worked and created all certs…
My server is behind a D-Link home router, I have following ports opened: 80, 443 (and couple more for mail) and all services are accessible from internet.
However I managed to solved this auto-renew issue by temporarily enabling DMZ for my server. Perhaps there is another port that needs to be opened for Let’s Encrypt to work properly ? If so, which one ?

DVSNI requires port 443, nothing else. I’d suspect that something like your router’s management interface was listening on the public IP on port 443, and enabling DMZ somehow fixes that. Did you verify that traffic on port 443 is actually forwarded to Let’s Encrypt when it’s coming from the internet (as opposed to your LAN)? (I usually just check that with Tor.)

I’ve tested using VPN and all traffic works (Tor also connects on HTTP and HTTPS). Plus my users also are not reporting any problems. Perhaps it’s something about my router’s firewall? Here are all those options:

Since I already renewed all my domains, I don’t know how to test it with those options disabled…

I’m not 100% certain if a VPN is a good test for this in every case. Depending on the specifics, there might be exceptions for local IPs (or hostnames that resolve to local IPs) causing them to be routed locally. I’d definitely recommend trying to access port 443 from outside your network (for example through some VPS, or via Tor Browser Bundle, which definitely won’t do any local routing).

I don’t think any of those settings would be a problem.

Just checked Tor and it connects fine with HTTP and HTTPS. I don’t have any exceptions for VPN, checked IP which it connects to and it’s not from LAN.

However portscan shows closed ports, but web services works…

Mind running the client with -t -vvvv (with DMZ disabled) and providing the output and /var/log/letsencrypt/letsencrypt.log? Maybe there’s something interesting in there.

I can confirm that I’m able to connect to port 80 and 443.

Figured I can delete my certs from /etc/letsencrypt and re-request it.

Here’s the first log: (1h expire)

But after that I disabled that firewall thing “Enable DOS and Portscan Protection”. Portscan shows open ports but it also disabled all other firewall options… I’m not sure if that’s secure. Most importantly generating cert worked without any issues now!

Is anyone going to elaborate on that ? Why is it, that firewall’s “Portscan Protection” makes it hard or even impossible to get/renew a Let’s Encrypt certificate ?

I realise it’s not a serious issue.
As long as I’m going to renew certs manually and re-enable firewall after… but what about an automated renewals with CRON ?

That’s something you’ll have to ask your router vendor. Let’s Encrypt sends a regular HTTP or HTTPS request during issuance/renewal. If your router supports some kind of logging, I’d start investigating there.

I’ve enabled logging at maximum “Debugging” level and run couple tests.
With firewall disabled, 7 tries of getting cert for 1 domain (+ 3 subdomains) failed 6 times and 1 time was successfull.
Also tried 2 times without those 3 subdomains and both times were successfull.
Look’s like the more domains it’s got to check the more chances that it will fail.
Log however did not showed anything suspicious…
Disabling firewall and trying getting cert (with subdomains) 2 times was successfull both times and log also did not showed anything.
Well… It’s an old router, perhaps it’s got some flaws and to be honest It does not matter that much, manual renewals are good enough for me :slight_smile: Certs are free and that enshrouds all hindrances :smiley:
Thanks for help, pfg! And thanks for this great service, guys!

I’m having a similar issue on a Google Cloud server. Mine fails less often than 6 out of 7, probably more like 1 out 4 attempts fails.Re-running the request usually succeeds. Since I’ve not been able to find any error on my end–that is, http and https requests to this server always seem to work from the computers I have access to on multiple ISP’s–my guess is that Let’s Encrypt has some kind of timeout issue on their end. Perhaps a little longer timeout period or one more retry on the dns and/or https request could solve the issue. Considering that there’s no indication of a problem on my end except that the DVSNI challenge fails, and retrying always seems to work, I have to assume the problem is elsewhere.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.