Hi,
I have a problem when I try to renew my SSL certificate.Attempting to renew cert from /etc/letsencrypt/renewal/my-site.fr.conf produced an unexpected error: Failed authorization procedure. my-site.fr (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my-site.fr/.well-known/acme-challenge/8TMamusugLC0gWioyvXx7NcQTKOqdvQ64_xMqMkYsls: Timeout, www.my-site.fr (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.my-site.fr/.well-known/acme-challenge/4HPyCNmnCX-X0TKbP1TblahIhQro6-FRZZCYkRCahpM: Timeout. Skipping.
My configuration:
The 8080 & 443 ports are open on my box and by iptables, and is defined on Apache configuration.
The renew command is executed with a specific user, on a ksh script (with “sudo”).
The SSL certificate, which used by 3 servers and 1 NAS, is on a repertory on my NAS, which is mounted with NFS (/NFS_Mounts/SSL_KEYS) on all.
The repertory “/etc/letsencrypt” is present on the server where I execute ksh script.
Hi,
Can you please fill the form and revail us the true domain?
(Although the problem might be port 80 blocked)
Thank you
My domain is: mehl-family.fr
That’s timing out for me on port 80 - are you positive that 176.158.13.50 is the correct IP address, and that it’s reachable from the outside world?
It’s the right IP yes.
HTTP validation makes a connection on port 80. (Though it will follow redirects to port 443.)
If there’s a firewall blocking port 80, you have to unblock it.
If that’s not possible, you can use DNS validation, but that may take some setup.
port 80 isn’t blocked…
Well, then http-01 isn't going to work for you. This challenge type must initiate connection on port 80, so your web server has to be accessible on port 80 from the outside world. It will follow redirects, however.
This makes it sound like you're saying 80 is blocked:
OK…
I’ve checked my box firewall… Port 80 is authorised, just to my server IP.
I’ve checked netstat on my server:
I’ve checked my iptables rules:
Did I forget something ?
Is it forwarded through whatever router is in front of your server?
I’m French, sorry for my english and if I don’t understand the good sense of a question.
My servers are behind a internet box.
Not a problem! I assume by “internet box”, you’re operating this on a residential internet connection? If so, you’ll need to make sure port 80 on the outside routes to your server. This is usually set up in a port forwarding page somewhere on the internet box.
However, not all residential internet providers allow inbound access on port 80 (which I think might be why you’re using 8080?) If this is the case, you’ll probably need to look into using DNS authorization instead, or asking your internet service provider to allow inbound port 80.
Ouchhhh…
I’ve retried to renew certificate: KO. With the same message.
Still no good from my end:
# curl http://mehl-family.fr
curl: (7) couldn't connect to host
What’s the “from” port in that setup?
It’s OK…
It was an iptables rule that I forgot:
I had put “output” rule, but not “input”.
And now, the certificate was renewed.
Thank’s for your help.
A last question: letsencrypt use only 80 or 80 + 443 ?
Let's encrypt only connect to port 80 first for HTTP01 verification. (Which can follow redirect to other ports, especially port 443) however, you must connect to port 80 first before to other port.
Thus if I block 443, no problem with letsencrypt?
schoen
March 12, 2018, 8:45pm
18
Unless you’re redirecting to it.
system
April 11, 2018, 8:50pm
20
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.