Server could not connect to the client to verify the domain


#1

Hello,

I’m trying to renew a certificate and I can’t stop getting this message:

Attempting to renew cert from /etc/letsencrypt/renewal/mail.ex-nihilo-paris.com.conf produced an unexpected error: Failed authorization procedure. mail.ex-nihilo-paris.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.ex-nihilo-paris.com/.well-known/acme-challenge/fb9D3S51twTLKeGSIuTWD1VPdVM5Pzxv7ixrE3mTNHM: Timeout. Skipping.

I double checked there was no issue with the domain (it’s a production domain, accessible from everywhere), no firewall issue (port 80 is opened). The authenticator is standalone and opens a listining socket (I can see 0.0.0.0:80 opened by a python process while waiting for the challenge response).

Could you please tell me what could go wrong? Is there another way to renew the certificate, it expires in 3 days (I had to wait for holidays as our office is closed to renew the certificate).

Thanks! :slight_smile:


#2

$ host mail.ex-nihilo-paris.com
mail.ex-nihilo-paris.com has address 51.255.78.216
mail.ex-nihilo-paris.com has IPv6 address 2001:41d0:203:1d8::

Check the connectivity of your ipv6 address: if there is an IPv6 AAAA record for a given domain, the acme server only connects via IPv6.


#3

Both IP v4 and v6 are configured on this machine. Nevertheless, running /usr/bin/certbot renew does not open any IP v6 socket listing on port 80…


#4

If I try and connect - I can’t on port 80

user@serverco:~$ curl -i "http://mail.ex-nihilo-paris.com/.well-known/acme-challenge/fb9D3S51twTLKeGSIuTWD1VPdVM5Pzxv7ixrE3mTNHM"
curl: (7) Failed to connect to mail.ex-nihilo-paris.com port 80: Connection refused


#5

The certbot standalone http server stops as soon as the timeout occurs. Seems normal you can’t connect.


#6

OK - I didn’t realise you were using it in standalone mode.

Can you provide a little more information on your setup please. Are you using certbot ? or some other script ? ( sorry, reading to fast - you do mention certbot )

Does the DNS resolve correctly within the server itself ?


#7

It should be worth trying the parameter --http-01-address with certbot.
Use your ipv6 address as argument.


#8

Yes, it does. This is a production mail server, running zimbra (MX are resolved the right way, A and AAAA too).


#9

The conf file contains the following:
pref_challs = http-01,

Is it enough?


#10

Just try it out with the additional parameter. The configuration file can be left as is.


#11

$ /usr/bin/certbot renew --http-01-address
certbot: error: unrecognized arguments: --http-01-address

I have a NGinx server installed, running on port 443. I can also make it run on port 80 (currently only serves Zimbra webmail through SSL). I tried the “nginx” authenticator, but this fails as the plugin is not installed (I don’t even know how to install it and if it may be useful).

Is there a way for certbot to export a /.well-known/acme-challenge/XXXXXX file in a selected folder (webroot parameter) and let NGinx deliver this file?


#12

You can use the manual option to provide the challenge file - although the renew should work.

When you use the renew - can you access the location on port 80 from an external address during the short period before it times out ?


#13

You have to specify your ipv6 address as argument to --http-01-address.


#14

$ /usr/bin/certbot renew --http-01-address 2001:41d0:203:1d8::
certbot: error: unrecognized arguments: --http-01-address 2001:41d0:203:1d8::


#15

Chances are high that you are not running the latest version of the client. Try updating it.


#16

Indeed. Was version 0.14.2. Updated to version 0.19. No more “unrecognized arguments error”, but still no chance to get the certificate renewed with the exact same issue : The server could not connect to the client to verify the domain.

And now, I have to wait for an hour: Too many failed authorizations recently…

Meanwhile, I will try to figure out how webroot works and try to make Nginx respond instead of the standalone server.


#17

Hi @MaxEvron,

Doesn’t matter what method you use (manual, webroot, standalone…), your server is not answering requests to your IPv6 address and as @bytecamp said, Let’s Encrypt will try to validate your domain using IPv6 address if it is present.

Trying to connect to your mail server using IPv4 -> OK

$ telnet -4 mail.ex-nihilo-paris.com 25
Trying 51.255.78.216...
Connected to mail.ex-nihilo-paris.com.
Escape character is '^]'.
220 mail.ex-nihilo-paris.com ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.

Trying to connect to your mail server using IPv6 -> TIMEOUT

$ telnet -6 mail.ex-nihilo-paris.com 25
Trying 2001:41d0:203:1d8::...
telnet: Unable to connect to remote host: Connection timed out

Trying to connect to your nginx server using IPv4 -> OK

$ curl -4IkL https://mail.ex-nihilo-paris.com
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 27 Dec 2017 15:12:29 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0
Connection: keep-alive
X-Frame-Options: SAMEORIGIN
Expires: -1
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Content-Language: en-US
Set-Cookie: ZM_TEST=true;Secure
Vary: User-Agent
X-UA-Compatible: IE=edge

Trying to connect to your nginx server using IPv6 -> TIMEOUT

$ curl -6IkLv https://mail.ex-nihilo-paris.com
* Rebuilt URL to: https://mail.ex-nihilo-paris.com/
*   Trying 2001:41d0:203:1d8::...
* TCP_NODELAY set
* connect to 2001:41d0:203:1d8:: port 443 failed: Connection timed out
* Failed to connect to mail.ex-nihilo-paris.com port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to mail.ex-nihilo-paris.com port 443: Connection timed out

Are you sure your IPv6 address is correctly configured? Because for me, 2001:41d0:203:1d8:: looks like an anycast address.

Or you remove the AAAA record for domain mail.ex-nihilo-paris.com or configure your server and/or AAAA record correctly so your server can be reached using IPv6.

Good luck,
sahsanu


#18

Hi Sahsanu.

This seems to be the issue. I’m trying to find informations from my provider to set up IPv6 the right way. The out-of-the-box configuration for this server does not seem to be enough.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.