[Resolved] FailedChallenges: Failed authorization procedure

Server
1

Hi all,

Sorry, I'm a bit lost as I'am not familiar with network stuff and I'm facing an issue when I try to use letsencrypt that I don't understand well.

I'm going to prepare a new server which will only respond to https urls.
As this server is not opened for public for the time being, I obviously had to open some ports using iptables.
I then opened ports 80 and 443 for all sources to my destination.
The port 80 is redirected to 443 by tha apache directive virtualhost using : Redirect 301 / https://my_site.fr

When I use :

./letsencrypt-auto --test-cert --apache --domain my_site.fr

i get the following error message :

FailedChallenges: Failed authorization procedure. my_site.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge
IMPORTANT NOTES:

  • The following errors were reported by the server:
    Domain: my_site.fr
    Type: connection
    Detail: Failed to connect to host for DVSNI challenge

The A DNS entry seems to be ok (DNS is an OVH one), I can connect to that server from home using its fqdn :

$ dig A my_site.fr
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> A my_site.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20201
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;my_site.fr. IN A

;; ANSWER SECTION:
my_site.fr. 3600 IN A 176.xxx.xxx.xxx

My apache config is
site-enabled/msg_80.conf

ServerAdmin root@my_site.fr ServerName my_site.fr Redirect 301 / https://my_site.fr/

site-enabled/site_msg.conf

ServerName my_site.fr ServerAdmin root@localhost ServerSignature Off DocumentRoot /var/www SSLEngine on SSLCertificateFile /etc/ssl/certs/msg_server.crt SSLCertificateKeyFile /etc/ssl/private/msg_server.key .... snip ....

Apache is well listening on 443

netstat -tulpn | grep :443
tcp6 0 0 :::443 :::* LISTEN 32020/apache2

Anyone could show me were I missed something ?
Thanks
Philippe

2

Hi Philippe

Are you happy to provide your domain name ? so we can check basic DNS checks etc ?

I’d suggest you try adding a test file in /domainroot/.well-known/acme-challenge/text with just some simple text in it. Then check that you can reach that file from the general internet, and that it’s presented as clear text.

3

Hi Serveco,

thanks for a so quick response :smile: The domain name is my_site.fr
I’m going to find a way to try your suggestion but I need an other network. My own ip-adress, and only this one, is always authorized by my fw rules

I also notice that my fw logs even don’t show any try from external connections when letsencrypt was run

4

If you call the file “test” I will also check from my location.

The DNS response I got from your nameserver ( dns111.ovh.net ) was slow responding, but it did respond correctly to the challenges that LE would give.

Your website isn’t responding for me - so it may be a firewall issue

5

Can you see anything on your firewall logs from my IP - 69…

6

for the time being, the ports 80 and 443 are closed. Would you like me to open them a while for your tests ?
I also created the text file

7

You will need to open them up ( at least in the .well-known/acme-challenge folder) in order for letsencrypt to verify you have control of the domain, so yes please

8

Nope, there is no connection from 69.xxx
I need to see what are my rules …

9

I did it when I ran letsencrypt.
Now I just opened them for you

10

Thanks - I can access now - from a quick check I’m seeing a certificate error with your existing cert … looking

11

Ok I can see you now in FW logs

12

It was my first tests with an auto signed certificat

13

Did you create a file “test” in .well-known/acme-challenge ? I’m getting a The requested URL /.well-known/acme-challenge/test was not found on this server. error

14

root@server:/var/www/.well-known/acme-challenge# ls -ali
total 12
263116 drwxr-xr-x 2 msg www-data 4096 mai 11 18:53 .
262960 drwxr-xr-x 3 msg www-data 4096 mai 11 18:52 …
263153 -rw-r----- 1 msg www-data 33 mai 11 18:53 text

15

ahh, “text” and “test” :slight_smile:

Yes, that works fine, and was delivered as plain text. So everything looks OK on that.

For the first certificate it may be as well to use “standalone mode” since that will create an SSL cert that LE is happy with and provide you with a full certificate.

16

oooops ! sorry for this mistake !!

do you mean that I have to use an other syntax with letsencrypt with the standalone flag
?

17

No problem, could just as easily have been me :slight_smile:

Shutting down your apache and using letsencrypt with the standalone flag is probably the easiest, yes.

Alternatively, we can look at correcting issues with your existing SSL cert or whatever the issue is there.

18

Well, I think it is better to go on with letsencrypt. The current certificat is auto-signed so I don’t think it is usable anymore as I would like avoid that users who connect to the site get “this site is not trusted …”

19

Understood. Hence that’s probably the quickest way. Once you have the certificate you can then close down your firewall again.

20

Ok… I hope this will be ok also for me as I don’t still know what causes that error…
anyway thousand of thanks for your kind help