[SOLVED] | Failed to Connect | TLS-SNI-01

SOLUTION :
I was Country Blocking. T_T

My domain is:
censored
I ran this command:
letsencrypt --apache
It produced this output:
Failed to connect to XXX.XXX.XXX.XXX:443 for TLS-SNI-01
challenge

My operating system is (include version):
Ubuntu 16.04.1 LTS
My web server is (include version):
Apache/2.4.18 (Ubuntu)
Server built: 2016-07-14T12:32:26

My hosting provider, if applicable, is:
/
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Additional Info :

XXX.XXX.XXX.XXX:8888 => 80 HTTP on Apache
XXX.XXX.XXX.XXX:443 => 443 HTTPS on Apache

Also Tried :
./certbot-auto certonly --standalone --preferred-challenges http-01 --http-01-port 8888
Which results in :

Failed authorization procedure. website.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to website.com

IMPORTANT NOTES:

• The following errors were reported by the server:

Domain: website.com
Type: connection
Detail: Could not connect to website.com

And from a Different Machine outside of the Network

curl -I XXX.XXX.XXX.XXX:8888

HTTP/1.1 302 Found
Date: Thu, 16 Feb 2017 09:27:47 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: http://XXX.XXX.XXX.XXX:8888/hub
Content-Type: text/html; charset=iso-8859-1

curl -I https://XXX.XXX.XXX.XXX:443

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: curl - SSL CA Certificates

There is currently a Self Signed Certificate deployed on *443

Could you guys help me?
Thanks in Advance

Do you have more output than just this bit?

Sounds like it should work, but for some reason it doesn't.. Strange.. More info is always better

By the way, the --http-01-port switch for stand alone is just for setting the port for the temporary server, the Let's Encrypt validation server will always try to connect to port 80. The --http-01-port switch is there only for if you internally map port 80 -> 8888 or something like that.

Greetings,

The Full Output is :

Failed authorization procedure. website.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to XXX.XXX.XXX.XXX:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

• The following errors were reported by the server:

Domain: website.com
Type: connection
Detail: Failed to connect to XXX.XXX.XXX.XXX:443 for TLS-SNI-01
challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My A Record is Correct & the Server is available.

The Thing i cannot do is Reach my External IP (XXX.XXX.XXX.XXX) from within itself.
But since the Validation Server is Checking from Outside that shouldn't hinder right?

Thanks!

Correct.

I can't seem to find a good reason why LE couldn't connect..

I would recommend to try the http-01 challenge with the webroot plugin, but your server isn't available through port 80, correct?

Yes, thats Correct.
This Apache's Port 80 is Available via port 8888 on the External IP.

However i should be able to use port 8888 no?
I tried that aswell (its in the first post)

./certbot-auto certonly --standalone --preferred-challenges http-01 --http-01-port 8888
which results in

Failed authorization procedure. coxcloud.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to coxcloud.de

IMPORTANT NOTES:

• The following errors were reported by the server:

Domain: coxcloud.de
Type: connection
Detail: Could not connect to coxcloud.de

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Thanks for your Support so far

I see. Thanks for that.
If i hypothetically set this Webserver to be available from 80 on the Outside for a minute, get my certs and move everything back, would i be able to renew the certs without a validation?

I mean… probably not… just wondering…

The whole point of getting Let's Encrypt to connect to your server is validation...

But yes, that should work, with the webroot plugin.

I evidently have the same or similar problem. I can SSH in or HTTP or Putty. Server is Pi3 with Apache When I go through the exercise of generating the certificate I get:

Failed authorization procedure. chuchi1-ve7bul.pagekite.me (tls-sni-01): urn:acme:error:tls :: The server experienced a TLS error during domain verification :: Failed to connect to 35.160.161.226:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: chuchi1-ve7bul.pagekite.me
  Type: tls
  Detail: Failed to connect to 35.160.161.226:443 for TLS-SNI-01
  challenge

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  you have an up-to-date TLS configuration that allows the server to
  communicate with the Certbot client.
  root@raspberrypi:/home/pi#

It does not help that I am an extreme green horn at this and am subsequently lost as to a course of action.
It does not matter to me if someone accesses the site as it was only intended as a web-cam anyway. Thanks for looking.

Greetings,

There's a Problem on your End, the Server you're trying to validate is not available on Port 443.

curl -I 35.160.161.226:443

HTTP/1.1 503 Unavailable
X-PageKite-UUID: 6dc894b0fc7c8e87e83da396adf4f17e4a4fd577
Content-Type: text/html; charset=utf-8
Pragma: no-cache
Expires: 0
Cache-Control: no-store
Connection: close

You should be able to work with the HTTP-01 Challenge as this uses Port 80.
./certbot-auto certonly --standalone --preferred-challenges http-01

That syntax assumes using the standalone plugin while @Gil has Apache running. I'd rather suggest using the webroot plugin, so @Gil doesn't have to stop his running Apache and restart it again afterwards.

+1

I have the exact same issue as @Y05H10.

Failed authorization procedure. website.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to XXX.XXX.XXX.XXX:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

• The following errors were reported by the server:

Domain: website.com
Type: connection
Detail: Failed to connect to XXX.XXX.XXX.XXX:443 for TLS-SNI-01
challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

The strange thing is I can dig my DNS entry and get all the data that LE says might be wrong (DNS A record is there, IP is correct.) Furthermore I can reach SSH, Port 80 and Port 443 (with test apache servers I setup using self signed certificates) from my computer or through various proxies.

With LE, all means that require LE contacting my server fail (Apache, webroot, standalone). The server is a vanilla Ubuntu box with no firewall etc. set up.

I'm sort of out of ideas - the only thing I can think of is that the place that hosts my servers (servdiscount.com, btw) blocks traffic inbound from letsencrypt's verification servers - for whatever reason they would do that.

I was finally able to resolve it by using Neilpang's ACME Shell Script and using the DNS mode.

However, it still bugs me it doesn't work the way it should... Anybody got any ideas?

Great Tip! Thanks!

Since you successfully did this, could you maybe help me?
Given the Instructions i need to create a new subdomain called _acme-challenge.domain and give this a txt record, is that correct?

Sadly my Provider (Strato AG) does not allow underscore as a subdomain and adding the txt to the domain itself does not work.

any idea?

Actually, you don’t create a subdomain but rather a TXT entry with the Name Server in charge of your domain. I’ve never used Strato before, so I’m not quite sure about what they let you configure or not.

Just to give you an idea what to look for, with the place where I registered my domain, it looks like this:

Bildschirmfoto 2017-02-20 um 16.32.52.png982×556 40.6 KB

An ‘A’ entry is equivalent to a subdomain, a ‘TXT’ entry is what you need for the DNS method to work.

I’m starting to think certain German hosters may prevent LE from accessing the servers for the authorization procedure - any other people affected?

Good luck!

EDIT: I actually guess I’m not really right, there will be an underscore in the field that is called ‘Host Name’ despite the fact it’s ‘only’ a TXT entry. So you might be out of luck with Strato Sorry…

Just for reference, strato domain

Strato.deTXT.png1460×357 33.8 KB

That’s what i can set for each Domain / Subdomain in my TXT Record.

Rough Translation:

-Deaktivate
-Activate

SPF-Rule :
-Default Strato Mailserver
-FAIL : Mailserver equals MX Entry of the Domain / Subdomain
-SOFTFAIL : Mailserver equals MX Entry of the Domain / Subdomain

TXT-Rule :
-UserDefined
[input_field]

i can set a value and see it with mxtoolbox.com for example.

Thanks for the reply. I figured there was a problem on my end, as I stated I am new at this. What you fellows are talking about does not really do me any good as it is over my head. I have tried a few more things, without making any headway. I suspect maybe I should start over and not bother with the ssl at all, and take my chances, or perhaps write it all off to experience and cut my losses. The thing is I suspect that it is almost there, and I don’t want to give up, but at this time I don’t know what else to do. I suspect that Certbot was NOT the answer to the problem, as I am smart enough to follow the instructions and it obviously does not work. I have tried so many things now that I don’t even know if I have messed up configurations elsewhere by my blundering about, doing and undoing, and that is part of the problem. Anyway thanks for trying. 73.

Hi @Gil,

There were other people in this thread talking about a totally different problem that has no real connection to yours, which is probably the source of a lot of the confusion (here, talking about other alternative ways to get Let’s Encrypt certificates). This is unfortunately likely to happen sometimes when posting in an existing thread, even if it first appears to be related to your situation.

If you start a new thread on this forum under the category “Help”, it will ask you a number of specific questions which will help people to help you better, and hopefully other people won’t interject a different discussion. That’s what I’d suggest if you still have any appetite for looking into your problem. People on this forum have often been extremely helpful and able to diagnose a pretty wide range of problems.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.