Server could not connect to client (again) - debug possible?


#1

So I am getting the typical “server could not connect to client for DV” error. I’ve gone to the extent of running tcpdump to fine that the server can in fact connect to the client and vice-versa. When I run letsencrypt-auto my server connects outbound via HTTPS, then it accepts a connection via HTTPS. This goes back and forth for about 200+ packets after which I get the “server could not connect” error.

Ubuntu 14.04
Not using Cloudflare
Tried both HTTP and HTTPS
Tried standalone
Tried Apache

The only thing that works is if I use the manual -a switch and copy the commands to create my own listening HTTP server. Doing this I can get the cert files. However this is not a process I want to try and repeat every 90 days.

What I am wondering is if there is any way to debug the connection process and maybe get some more info? Clearly my client and the server are talking but something else is going wrong along the way. Is there any way to get more information on what might be happening?


#2

I generally start with just a manual test … create a .well-known/acme-challenge folder, place a small file in ( just called “test” or something and with contents “test contents” then check from an external browser that I can reach that file, and read it, as plain text. There may well be a redirect or something else that is preventing access to that location in your current apache config.

I’d also make sure you do testing with the staging server, so that you don’t run into rate limits for real certificate generation.


#3

Just to close off this topic. I tracked down the issue to something that is probably not typical for most users but I’ll mention it just in case. I had setup SSL decryption on an external security appliance using the known cert/key on the web server. What was happening is that the HTTPS conversation that was being initiated between letsencrypt and the standalone web server was using a different certificate/key than my current Apache server. As a result the security device was blocking the SSL connection somewhere after the server hello. So, chalk it up to user error, hopefully if someone else runs across anything similar my experience will help.

Thanks!