[Resolved] FailedChallenges: Failed authorization procedure

Hi all,

Sorry, I'm a bit lost as I'am not familiar with network stuff and I'm facing an issue when I try to use letsencrypt that I don't understand well.

I'm going to prepare a new server which will only respond to https urls.
As this server is not opened for public for the time being, I obviously had to open some ports using iptables.
I then opened ports 80 and 443 for all sources to my destination.
The port 80 is redirected to 443 by tha apache directive virtualhost using : Redirect 301 / https://my_site.fr

When I use :

./letsencrypt-auto --test-cert --apache --domain my_site.fr

i get the following error message :

FailedChallenges: Failed authorization procedure. my_site.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

  • The following errors were reported by the server:
    Domain: my_site.fr
    Type: connection
    Detail: Failed to connect to host for DVSNI challenge

The A DNS entry seems to be ok (DNS is an OVH one), I can connect to that server from home using its fqdn :

$ dig A my_site.fr
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> A my_site.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20201
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 4096
;my_site.fr. IN A

my_site.fr. 3600 IN A 176.xxx.xxx.xxx

My apache config is

ServerAdmin root@my_site.fr ServerName my_site.fr Redirect 301 / https://my_site.fr/


ServerName my_site.fr ServerAdmin root@localhost ServerSignature Off DocumentRoot /var/www SSLEngine on SSLCertificateFile /etc/ssl/certs/msg_server.crt SSLCertificateKeyFile /etc/ssl/private/msg_server.key .... snip ....

Apache is well listening on 443

netstat -tulpn | grep :443
tcp6 0 0 :::443 :::* LISTEN 32020/apache2

Anyone could show me were I missed something ?

Hi Philippe

Are you happy to provide your domain name ? so we can check basic DNS checks etc ?

I’d suggest you try adding a test file in /domainroot/.well-known/acme-challenge/text with just some simple text in it. Then check that you can reach that file from the general internet, and that it’s presented as clear text.

Hi Serveco,

thanks for a so quick response :smile: The domain name is my_site.fr
I’m going to find a way to try your suggestion but I need an other network. My own ip-adress, and only this one, is always authorized by my fw rules

I also notice that my fw logs even don’t show any try from external connections when letsencrypt was run

If you call the file “test” I will also check from my location.

The DNS response I got from your nameserver ( dns111.ovh.net ) was slow responding, but it did respond correctly to the challenges that LE would give.

Your website isn’t responding for me - so it may be a firewall issue

Can you see anything on your firewall logs from my IP - 69…

for the time being, the ports 80 and 443 are closed. Would you like me to open them a while for your tests ?
I also created the text file

You will need to open them up ( at least in the .well-known/acme-challenge folder) in order for letsencrypt to verify you have control of the domain, so yes please

Nope, there is no connection from 69.xxx
I need to see what are my rules …

I did it when I ran letsencrypt.
Now I just opened them for you

Thanks - I can access now - from a quick check I’m seeing a certificate error with your existing cert … looking

Ok I can see you now in FW logs

It was my first tests with an auto signed certificat

Did you create a file “test” in .well-known/acme-challenge ? I’m getting a The requested URL /.well-known/acme-challenge/test was not found on this server. error

root@server:/var/www/.well-known/acme-challenge# ls -ali
total 12
263116 drwxr-xr-x 2 msg www-data 4096 mai 11 18:53 .
262960 drwxr-xr-x 3 msg www-data 4096 mai 11 18:52 …
263153 -rw-r----- 1 msg www-data 33 mai 11 18:53 text

ahh, “text” and “test” :slight_smile:

Yes, that works fine, and was delivered as plain text. So everything looks OK on that.

For the first certificate it may be as well to use “standalone mode” since that will create an SSL cert that LE is happy with and provide you with a full certificate.

oooops ! sorry for this mistake !!

do you mean that I have to use an other syntax with letsencrypt with the standalone flag

No problem, could just as easily have been me :slight_smile:

Shutting down your apache and using letsencrypt with the standalone flag is probably the easiest, yes.

Alternatively, we can look at correcting issues with your existing SSL cert or whatever the issue is there.

Well, I think it is better to go on with letsencrypt. The current certificat is auto-signed so I don’t think it is usable anymore as I would like avoid that users who connect to the site get “this site is not trusted …”

Understood. Hence that’s probably the quickest way. Once you have the certificate you can then close down your firewall again.

Ok… I hope this will be ok also for me as I don’t still know what causes that error…
anyway thousand of thanks for your kind help