Server could not connect to the client to verify the domain

MaxEvron · 2017-12-27 12:37:40 UTC

Hello,

I’m trying to renew a certificate and I can’t stop getting this message:

Attempting to renew cert from /etc/letsencrypt/renewal/mail.ex-nihilo-paris.com.conf produced an unexpected error: Failed authorization procedure. mail.ex-nihilo-paris.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.ex-nihilo-paris.com/.well-known/acme-challenge/fb9D3S51twTLKeGSIuTWD1VPdVM5Pzxv7ixrE3mTNHM: Timeout. Skipping.

I double checked there was no issue with the domain (it’s a production domain, accessible from everywhere), no firewall issue (port 80 is opened). The authenticator is standalone and opens a listining socket (I can see 0.0.0.0:80 opened by a python process while waiting for the challenge response).

Could you please tell me what could go wrong? Is there another way to renew the certificate, it expires in 3 days (I had to wait for holidays as our office is closed to renew the certificate).

Thanks!

bytecamp · 2017-12-27 12:42:02 UTC

$ host mail.ex-nihilo-paris.com
mail.ex-nihilo-paris.com has address 51.255.78.216
mail.ex-nihilo-paris.com has IPv6 address 2001:41d0:203:1d8::

Check the connectivity of your ipv6 address: if there is an IPv6 AAAA record for a given domain, the acme server only connects via IPv6.

MaxEvron · 2017-12-27 12:50:00 UTC

Both IP v4 and v6 are configured on this machine. Nevertheless, running /usr/bin/certbot renew does not open any IP v6 socket listing on port 80…

serverco · 2017-12-27 13:21:18 UTC

If I try and connect - I can’t on port 80

user@serverco:~$ curl -i "http://mail.ex-nihilo-paris.com/.well-known/acme-challenge/fb9D3S51twTLKeGSIuTWD1VPdVM5Pzxv7ixrE3mTNHM"
curl: (7) Failed to connect to mail.ex-nihilo-paris.com port 80: Connection refused

MaxEvron · 2017-12-27 13:22:54 UTC

The certbot standalone http server stops as soon as the timeout occurs. Seems normal you can’t connect.

serverco · 2017-12-27 13:26:38 UTC

OK - I didn’t realise you were using it in standalone mode.

Can you provide a little more information on your setup please. Are you using certbot ? or some other script ? ( sorry, reading to fast - you do mention certbot )

Does the DNS resolve correctly within the server itself ?

bytecamp · 2017-12-27 13:30:33 UTC

It should be worth trying the parameter --http-01-address with certbot.
Use your ipv6 address as argument.

MaxEvron · 2017-12-27 13:33:01 UTC

Yes, it does. This is a production mail server, running zimbra (MX are resolved the right way, A and AAAA too).

MaxEvron · 2017-12-27 13:37:12 UTC

The conf file contains the following:
pref_challs = http-01,

Is it enough?

bytecamp · 2017-12-27 13:38:35 UTC

Just try it out with the additional parameter. The configuration file can be left as is.

MaxEvron · 2017-12-27 13:42:59 UTC

$ /usr/bin/certbot renew --http-01-address
certbot: error: unrecognized arguments: --http-01-address

I have a NGinx server installed, running on port 443. I can also make it run on port 80 (currently only serves Zimbra webmail through SSL). I tried the “nginx” authenticator, but this fails as the plugin is not installed (I don’t even know how to install it and if it may be useful).

Is there a way for certbot to export a /.well-known/acme-challenge/XXXXXX file in a selected folder (webroot parameter) and let NGinx deliver this file?

serverco · 2017-12-27 13:47:04 UTC

You can use the manual option to provide the challenge file - although the renew should work.

When you use the renew - can you access the location on port 80 from an external address during the short period before it times out ?

bytecamp · 2017-12-27 13:47:49 UTC

You have to specify your ipv6 address as argument to --http-01-address.

MaxEvron · 2017-12-27 13:49:10 UTC

$ /usr/bin/certbot renew --http-01-address 2001:41d0:203:1d8::
certbot: error: unrecognized arguments: --http-01-address 2001:41d0:203:1d8::

bytecamp · 2017-12-27 13:53:15 UTC

Chances are high that you are not running the latest version of the client. Try updating it.

MaxEvron · 2017-12-27 14:01:26 UTC

Indeed. Was version 0.14.2. Updated to version 0.19. No more “unrecognized arguments error”, but still no chance to get the certificate renewed with the exact same issue : The server could not connect to the client to verify the domain.

And now, I have to wait for an hour: Too many failed authorizations recently…

Meanwhile, I will try to figure out how webroot works and try to make Nginx respond instead of the standalone server.

sahsanu · 2017-12-27 15:23:32 UTC

Hi @MaxEvron,

Doesn’t matter what method you use (manual, webroot, standalone…), your server is not answering requests to your IPv6 address and as @bytecamp said, Let’s Encrypt will try to validate your domain using IPv6 address if it is present.

Trying to connect to your mail server using IPv4 -> OK

$ telnet -4 mail.ex-nihilo-paris.com 25
Trying 51.255.78.216...
Connected to mail.ex-nihilo-paris.com.
Escape character is '^]'.
220 mail.ex-nihilo-paris.com ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.

Trying to connect to your mail server using IPv6 -> TIMEOUT

$ telnet -6 mail.ex-nihilo-paris.com 25
Trying 2001:41d0:203:1d8::...
telnet: Unable to connect to remote host: Connection timed out

Trying to connect to your nginx server using IPv4 -> OK

$ curl -4IkL https://mail.ex-nihilo-paris.com
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Dec 2017 15:12:29 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Language: en-US
Set-Cookie: ZM_TEST=true;Secure
Vary: User-Agent
X-UA-Compatible: IE=edge

Trying to connect to your nginx server using IPv6 -> TIMEOUT

$ curl -6IkLv https://mail.ex-nihilo-paris.com
* Rebuilt URL to: https://mail.ex-nihilo-paris.com/
*   Trying 2001:41d0:203:1d8::...
* TCP_NODELAY set
* connect to 2001:41d0:203:1d8:: port 443 failed: Connection timed out
* Failed to connect to mail.ex-nihilo-paris.com port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to mail.ex-nihilo-paris.com port 443: Connection timed out

Are you sure your IPv6 address is correctly configured? Because for me, 2001:41d0:203:1d8:: looks like an anycast address.

Or you remove the AAAA record for domain mail.ex-nihilo-paris.com or configure your server and/or AAAA record correctly so your server can be reached using IPv6.

Good luck,
sahsanu

MaxEvron · 2017-12-27 15:46:24 UTC

Hi Sahsanu.

This seems to be the issue. I’m trying to find informations from my provider to set up IPv6 the right way. The out-of-the-box configuration for this server does not seem to be enough.

system · 2018-01-26 15:46:31 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.