Server could not connect to the client to verify the domain

Hello,

I’m trying to renew a certificate and I can’t stop getting this message:

Attempting to renew cert from /etc/letsencrypt/renewal/mail.ex-nihilo-paris.com.conf produced an unexpected error: Failed authorization procedure. mail.ex-nihilo-paris.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.ex-nihilo-paris.com/.well-known/acme-challenge/fb9D3S51twTLKeGSIuTWD1VPdVM5Pzxv7ixrE3mTNHM: Timeout. Skipping.

I double checked there was no issue with the domain (it’s a production domain, accessible from everywhere), no firewall issue (port 80 is opened). The authenticator is standalone and opens a listining socket (I can see 0.0.0.0:80 opened by a python process while waiting for the challenge response).

Could you please tell me what could go wrong? Is there another way to renew the certificate, it expires in 3 days (I had to wait for holidays as our office is closed to renew the certificate).

Thanks! :slight_smile:

$ host mail.ex-nihilo-paris.com
mail.ex-nihilo-paris.com has address 51.255.78.216
mail.ex-nihilo-paris.com has IPv6 address 2001:41d0:203:1d8::

Check the connectivity of your ipv6 address: if there is an IPv6 AAAA record for a given domain, the acme server only connects via IPv6.

1 Like

Both IP v4 and v6 are configured on this machine. Nevertheless, running /usr/bin/certbot renew does not open any IP v6 socket listing on port 80…

If I try and connect - I can’t on port 80

user@serverco:~$ curl -i "http://mail.ex-nihilo-paris.com/.well-known/acme-challenge/fb9D3S51twTLKeGSIuTWD1VPdVM5Pzxv7ixrE3mTNHM"
curl: (7) Failed to connect to mail.ex-nihilo-paris.com port 80: Connection refused

The certbot standalone http server stops as soon as the timeout occurs. Seems normal you can’t connect.

OK - I didn’t realise you were using it in standalone mode.

Can you provide a little more information on your setup please. Are you using certbot ? or some other script ? ( sorry, reading to fast - you do mention certbot )

Does the DNS resolve correctly within the server itself ?

It should be worth trying the parameter --http-01-address with certbot.
Use your ipv6 address as argument.

Yes, it does. This is a production mail server, running zimbra (MX are resolved the right way, A and AAAA too).

The conf file contains the following:
pref_challs = http-01,

Is it enough?

Just try it out with the additional parameter. The configuration file can be left as is.

$ /usr/bin/certbot renew --http-01-address
certbot: error: unrecognized arguments: --http-01-address

I have a NGinx server installed, running on port 443. I can also make it run on port 80 (currently only serves Zimbra webmail through SSL). I tried the “nginx” authenticator, but this fails as the plugin is not installed (I don’t even know how to install it and if it may be useful).

Is there a way for certbot to export a /.well-known/acme-challenge/XXXXXX file in a selected folder (webroot parameter) and let NGinx deliver this file?

You can use the manual option to provide the challenge file - although the renew should work.

When you use the renew - can you access the location on port 80 from an external address during the short period before it times out ?

You have to specify your ipv6 address as argument to --http-01-address.

$ /usr/bin/certbot renew --http-01-address 2001:41d0:203:1d8::
certbot: error: unrecognized arguments: --http-01-address 2001:41d0:203:1d8::

Chances are high that you are not running the latest version of the client. Try updating it.

Indeed. Was version 0.14.2. Updated to version 0.19. No more “unrecognized arguments error”, but still no chance to get the certificate renewed with the exact same issue : The server could not connect to the client to verify the domain.

And now, I have to wait for an hour: Too many failed authorizations recently…

Meanwhile, I will try to figure out how webroot works and try to make Nginx respond instead of the standalone server.

Hi @MaxEvron,

Doesn’t matter what method you use (manual, webroot, standalone…), your server is not answering requests to your IPv6 address and as @bytecamp said, Let’s Encrypt will try to validate your domain using IPv6 address if it is present.

Trying to connect to your mail server using IPv4 -> OK

$ telnet -4 mail.ex-nihilo-paris.com 25
Trying 51.255.78.216...
Connected to mail.ex-nihilo-paris.com.
Escape character is '^]'.
220 mail.ex-nihilo-paris.com ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.

Trying to connect to your mail server using IPv6 -> TIMEOUT

$ telnet -6 mail.ex-nihilo-paris.com 25
Trying 2001:41d0:203:1d8::...
telnet: Unable to connect to remote host: Connection timed out

Trying to connect to your nginx server using IPv4 -> OK

$ curl -4IkL https://mail.ex-nihilo-paris.com
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Dec 2017 15:12:29 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Language: en-US
Set-Cookie: ZM_TEST=true;Secure
Vary: User-Agent
X-UA-Compatible: IE=edge

Trying to connect to your nginx server using IPv6 -> TIMEOUT

$ curl -6IkLv https://mail.ex-nihilo-paris.com
* Rebuilt URL to: https://mail.ex-nihilo-paris.com/
*   Trying 2001:41d0:203:1d8::...
* TCP_NODELAY set
* connect to 2001:41d0:203:1d8:: port 443 failed: Connection timed out
* Failed to connect to mail.ex-nihilo-paris.com port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to mail.ex-nihilo-paris.com port 443: Connection timed out

Are you sure your IPv6 address is correctly configured? Because for me, 2001:41d0:203:1d8:: looks like an anycast address.

Or you remove the AAAA record for domain mail.ex-nihilo-paris.com or configure your server and/or AAAA record correctly so your server can be reached using IPv6.

Good luck,
sahsanu

1 Like

Hi Sahsanu.

This seems to be the issue. I’m trying to find informations from my provider to set up IPv6 the right way. The out-of-the-box configuration for this server does not seem to be enough.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.