Sudo ./certbot-auto renew --dry-run ErrorLog

Can someone tell why 2 of 5 virtual hosts give error?

[details=renew Log (sudo ./certbot-auto renew --dry-run)]2017-03-19

2017-03-19 15:54:31,790:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: otdih-abhazia.ru
Type: connection
Detail: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge

Domain: www.otdih-abhazia.ru
Type: connection
Detail: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-03-19 15:54:31,790:INFO:certbot.auth_handler:Cleaning up challenges
2017-03-19 15:54:31,965:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/otdih-abhazia.ru.conf produced an unexpected error: Failed authorization procedure. otdih-abhazia.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge, www.otdih-abhazia.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge. Skipping.
2017-03-19 15:54:31,965:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py”, line 418, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 650, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 87, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py”, line 296, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 265, in obtain_certificate
self.config.allow_subset_of_names)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 77, in get_authorizations
self._respond(resp, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 134, in _respond
self._poll_challenges(chall_update, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 198, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. otdih-abhazia.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge, www.otdih-abhazia.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge

2017-03-19 15:54:31,968:INFO:certbot.renewal:Cert not due for renewal, but simulating renewal for dry run
2017-03-19 15:54:31,983:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2017-03-19 15:54:32,638:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x4ce8ad0>
Prep: True
2017-03-19 15:54:32,639:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x4ce8ad0>
Prep: True
2017-03-19 15:54:32,639:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheConfigurator object at 0x4ce8ad0> and installer <certbot_apache.configurator.ApacheConfigurator object at 0x4ce8ad0>
2017-03-19 15:54:32,641:DEBUG:certbot.main:Picked account: <Account(a082731f10c6e803fdebb9314f0b8fe9)>
2017-03-19 15:54:32,641:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/directory.
2017-03-19 15:54:32,642:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2017-03-19 15:54:32,949:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 372
2017-03-19 15:54:32,950:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 372
Boulder-Request-Id: 15q96JA3_n420FI1deKRo8S8poLjAmbiH6580rC1iHE
Replay-Nonce: an3-VhVHIId74CXDgUEIdzdFPUBLpLiP3caRp8sVQ1s
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 19 Mar 2017 15:54:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Mar 2017 15:54:33 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “telebal.ru”
},
“status”: “pending”,
“expires”: “2017-03-26T15:54:33.469877522Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665324”,
“token”: “y-X6mxs1XCEfoCWCa8BRJr0mlESyoEF45cadINy7Zqs”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665325”,
“token”: “FlRLPTSIAd9_i_Q2W2aKtcRzonuKDydSS-RJxemHKkY”
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665326”,
“token”: “H-bwns6llpqROm-TC9bhHXZyOUChCLnyjZ1nraAcZY8”
}
],
“combinations”: [
[
2
],
[
0
],
[
1
]
]
}
2017-03-19 15:54:33,414:DEBUG:acme.client:Storing nonce: 4Zpfz-MiYxwgLxhEvUHZt26_i16I2Mzt4vIyJATVF9c
2017-03-19 15:54:33,415:DEBUG:acme.client:JWS payload:
{
“identifier”: {
“type”: “dns”,
“value”: “www.telebal.ru”
},
“resource”: “new-authz”
}
2017-03-19 15:54:33,420:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: “zxN0lLPVVa3k1Gm1HZiXL2CMbj9262IZKYC7n8x8AZblHb0m7AUKynC8PL-qRUBQIpAfqZKVWisqcmGyXdNXXBwNEbAuqTZEg9jARaMx_IO1RqaqDzuOYAAw8xjOz7st5H6ETaE8GyIaPc3iUnhF9VAkMIBz–pj5GxBWukRzpIvy-tJ6yb8IZKW7EP2fdsJgWm-kkE9ef4qnMsQIPdsWjlYityDyCgZN0DH0Gg_Etczw9TkNM1yjidaPrFz9OdGdFz1f9w5jaQSdKBz9NTYg030u2_UpOUZQg_1j4i9FzsmTnzDkITjVGTFDPbFTYK8FnI2j0rKa2ScvacCp1Bo2Q”
}
},
“protected”: “eyJub25jZSI6ICI0WnBmei1NaVl4d2dMeGhFdlVIWnQyNl9pMTZJMk16dDR2SXlKQVRWRjljIn0”,
“payload”: “ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAid3d3LnRlbGViYWwucnUiCiAgfSwgCiAgInJlc291cmNlIjogIm5ldy1hdXRoeiIKfQ”,
“signature”: “PnsZgDgDLQ9xh_421NHm6i7pV7x0uuLQG9lV2rP4qAjRsqhUDGpNQkl3CLZr1X_awUZjTh3S-mc1BezjlKro7DA-0UyYZvBPo4u3iidVzRVOfq0jmMEeTij82no9Vi8B35oQMf96KbxI8jj8Vksz-sKisDad5BWRyTSM-1iewHgSLBxz3yZscXuIdEXpH51UB5TsNdwC19PR7K43I0sxx1rcFqqhoB9iivj3EY_6vZOrqLMKWYVcK_DtrklE_rGzQ7R2u3OSsZBfl_ww_WTAv7YaZUaP0rBA6itqJmVkHT_8Hotxef_-ISUNAk_tA8ynUVYcV9nZBdXt8y7gHgwh8w”
}
2017-03-19 15:54:33,683:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “POST /acme/new-authz HTTP/1.1” 201 1008
2017-03-19 15:54:33,684:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1008
Boulder-Request-Id: yj9bN7RbExnx3r4VYVnnpnZF5DptNNepu1MxiSwsExw
Boulder-Requester: 1633021
Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ
Replay-Nonce: gFQSmO5-bdMqFLQBxSLKsFvsVIGq21FiK_jFce6JHV4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 19 Mar 2017 15:54:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Mar 2017 15:54:33 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “www.telebal.ru”
},
“status”: “pending”,
“expires”: “2017-03-26T15:54:33.723939738Z”,
“challenges”: [
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665327”,
“token”: “5SxG3jdZG7eNNn0vvoUZTMOWxPfqxELipCqDWDCH6S4”
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665328”,
“token”: “Hz30Qt8GdzJqgNvVy0WUxBWjFuAGd-7reNmg8OB8yEg”
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665329”,
“token”: “UpwriMgVAJ65mlKjJAKV7MIbvZgQRssSKGq_SWBRvnk”
}
],
“combinations”: [
[
0
],
[
2
],
[
1
]
]
}
2017-03-19 15:54:33,684:DEBUG:acme.client:Storing nonce: gFQSmO5-bdMqFLQBxSLKsFvsVIGq21FiK_jFce6JHV4
2017-03-19 15:54:33,685:INFO:certbot.auth_handler:Performing the following challenges:
2017-03-19 15:54:33,685:INFO:certbot.auth_handler:tls-sni-01 challenge for telebal.ru
2017-03-19 15:54:33,685:INFO:certbot.auth_handler:tls-sni-01 challenge for www.telebal.ru
2017-03-19 15:54:34,274:DEBUG:certbot_apache.tls_sni_01:Adding Include /etc/apache2/le_tls_sni_01_cert_challenge.conf to /files/etc/apache2/apache2.conf
2017-03-19 15:54:34,274:DEBUG:certbot_apache.tls_sni_01:writing a config file with text:

<VirtualHost *:443>
ServerName 6383c73a0c16d5b8759bd67474044a83.5c07333142531e2e26839b10c0df2403.acme.invalid
UseCanonicalName on
SSLStrictSNIVHostCheck on

LimitRequestBody 1048576

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /var/lib/letsencrypt/FlRLPTSIAd9_i_Q2W2aKtcRzonuKDydSS-RJxemHKkY.crt
SSLCertificateKeyFile /var/lib/letsencrypt/FlRLPTSIAd9_i_Q2W2aKtcRzonuKDydSS-RJxemHKkY.pem

DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/

<VirtualHost *:443>
ServerName d84efc5619657d3039a1dbf46fcd08f2.1cc40a169ac5aa669ae73b27f59afaa4.acme.invalid
UseCanonicalName on
SSLStrictSNIVHostCheck on

LimitRequestBody 1048576

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /var/lib/letsencrypt/5SxG3jdZG7eNNn0vvoUZTMOWxPfqxELipCqDWDCH6S4.crt
SSLCertificateKeyFile /var/lib/letsencrypt/5SxG3jdZG7eNNn0vvoUZTMOWxPfqxELipCqDWDCH6S4.pem

DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/

2017-03-19 15:54:34,356:DEBUG:certbot.reverter:Creating backup of /etc/apache2/apache2.conf
2017-03-19 15:54:37,587:INFO:certbot.auth_handler:Waiting for verification…
2017-03-19 15:54:37,588:DEBUG:acme.client:JWS payload:
{
“keyAuthorization”: “FlRLPTSIAd9_i_Q2W2aKtcRzonuKDydSS-RJxemHKkY.1ySj_xwEbwuESURCTXhwqaxo-Qfu72raoyMXmr5vcvU”,
“type”: “tls-sni-01”,
“resource”: “challenge”
}
2017-03-19 15:54:37,594:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665325:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: “zxN0lLPVVa3k1Gm1HZiXL2CMbj9262IZKYC7n8x8AZblHb0m7AUKynC8PL-qRUBQIpAfqZKVWisqcmGyXdNXXBwNEbAuqTZEg9jARaMx_IO1RqaqDzuOYAAw8xjOz7st5H6ETaE8GyIaPc3iUnhF9VAkMIBz–pj5GxBWukRzpIvy-tJ6yb8IZKW7EP2fdsJgWm-kkE9ef4qnMsQIPdsWjlYityDyCgZN0DH0Gg_Etczw9TkNM1yjidaPrFz9OdGdFz1f9w5jaQSdKBz9NTYg030u2_UpOUZQg_1j4i9FzsmTnzDkITjVGTFDPbFTYK8FnI2j0rKa2ScvacCp1Bo2Q”
}
},
“protected”: “eyJub25jZSI6ICJnRlFTbU81LWJkTXFGTFFCeFNMS3NGdnNWSUdxMjFGaUtfakZjZTZKSFY0In0”,
“payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogIkZsUkxQVFNJQWQ5X2lfUTJXMmFLdGNSem9udUtEeWRTUy1SSnhlbUhLa1kuMXlTal94d0Vid3VFU1VSQ1RYaHdxYXhvLVFmdTcycmFveU1YbXI1dmN2VSIsIAogICJ0eXBlIjogInRscy1zbmktMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“signature”: “YHRiQQ6PUpBQAg9vF-9p8jjLtMtV9H0X-gavqV1Ffp4BpRi2HLqbo8ZcM8xZvVu8a-TUcgwqfFZeEzanznUqQNqwuMM-ZNdYW_WUYgyQmxjrImH1HEtq32Y8NCGGUdWuAm8AJI0t4BzZsAJsiMgRm2wYXgQ4AjqXybB0foPvX2BW22dQiD2zWOjUmbwiwYF-1vj-jxx9eua6XPVsWhuMEE_h6pKD-sifJYyakh8DxevRaqgtTdUBeC-DtnXjnfGvfX-T0p8Ykm7sGQBCeB-6VLCQJX5I7KpAsyoaluIKtjqMJ3J_gvEgwqq8yKam1jpUoNvMu8LiIyre9KBzPPsFqg”
}
2017-03-19 15:54:37,926:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “POST /acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665325 HTTP/1.1” 202 341
2017-03-19 15:54:37,927:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 341
Boulder-Request-Id: b2KSzixBmS5bHYjwhOuBKWvrQ69_As0VJcFBK-qTvQI
Boulder-Requester: 1633021
Link: https://acme-staging.api.letsencrypt.org/acme/authz/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665325
Replay-Nonce: 1avHi1IKLYhTtx-xg1HGKru824NKARy_iUAmIRbbyDY
Expires: Sun, 19 Mar 2017 15:54:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Mar 2017 15:54:38 GMT
Connection: keep-alive

{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665325”,
“token”: “FlRLPTSIAd9_i_Q2W2aKtcRzonuKDydSS-RJxemHKkY”,
“keyAuthorization”: “FlRLPTSIAd9_i_Q2W2aKtcRzonuKDydSS-RJxemHKkY.1ySj_xwEbwuESURCTXhwqaxo-Qfu72raoyMXmr5vcvU”
}
2017-03-19 15:54:37,927:DEBUG:acme.client:Storing nonce: 1avHi1IKLYhTtx-xg1HGKru824NKARy_iUAmIRbbyDY
2017-03-19 15:54:37,928:DEBUG:acme.client:JWS payload:
{
“keyAuthorization”: “5SxG3jdZG7eNNn0vvoUZTMOWxPfqxELipCqDWDCH6S4.1ySj_xwEbwuESURCTXhwqaxo-Qfu72raoyMXmr5vcvU”,
“type”: “tls-sni-01”,
“resource”: “challenge”
}
2017-03-19 15:54:37,933:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665327:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: “zxN0lLPVVa3k1Gm1HZiXL2CMbj9262IZKYC7n8x8AZblHb0m7AUKynC8PL-qRUBQIpAfqZKVWisqcmGyXdNXXBwNEbAuqTZEg9jARaMx_IO1RqaqDzuOYAAw8xjOz7st5H6ETaE8GyIaPc3iUnhF9VAkMIBz–pj5GxBWukRzpIvy-tJ6yb8IZKW7EP2fdsJgWm-kkE9ef4qnMsQIPdsWjlYityDyCgZN0DH0Gg_Etczw9TkNM1yjidaPrFz9OdGdFz1f9w5jaQSdKBz9NTYg030u2_UpOUZQg_1j4i9FzsmTnzDkITjVGTFDPbFTYK8FnI2j0rKa2ScvacCp1Bo2Q”
}
},
“protected”: “eyJub25jZSI6ICIxYXZIaTFJS0xZaFR0eC14ZzFIR0tydTgyNE5LQVJ5X2lVQW1JUmJieURZIn0”,
“payload”: “ewogICJrZXlBdXRob3JpemF0aW9uIjogIjVTeEczamRaRzdlTk5uMHZ2b1VaVE1PV3hQZnF4RUxpcENxRFdEQ0g2UzQuMXlTal94d0Vid3VFU1VSQ1RYaHdxYXhvLVFmdTcycmFveU1YbXI1dmN2VSIsIAogICJ0eXBlIjogInRscy1zbmktMDEiLCAKICAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIgp9”,
“signature”: “ML-zlatULRsUg7YiY_spkrl3Vb_noiyij51TpyC6mxWFF15nzp3R8vRf1NwPzuya5j7ed0QVya2yAUuQyGYeGPc44egjemzTVlPIOslPyAXnxT_N5C4MhRTniRbThvtV4JMtWDcKFAYUGB4m5_7g-pGt-j6lg5-y4bp_jJKKHA-00ukLoxh_EsuSXHYO5jsnpR3Uj2iSgmk7Jluh2VBvxd24zuoUwfOmzYTJUEB4n-wAT3NPAXDGDbk6BWOAoTM_MH6m1Lgvf3sFF-AXctKr8k4tsE-Dp-DN90YuNWtZSvp8BIvu7TSFZY7Zf4trE0qDEexM02GOqVlq9D9aXUHeaQ”
}
2017-03-19 15:54:38,269:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “POST /acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665327 HTTP/1.1” 202 341
2017-03-19 15:54:38,270:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 341
Boulder-Request-Id: 0e-f3gxCam7xub76NEjJJXXUVjULfSKzFk6h4If006k
Boulder-Requester: 1633021
Link: https://acme-staging.api.letsencrypt.org/acme/authz/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665327
Replay-Nonce: LhE7YHnZMzqnhUpvyCAqskMUv3ZOUmaKRI0MmFz06eU
Expires: Sun, 19 Mar 2017 15:54:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Mar 2017 15:54:38 GMT
Connection: keep-alive

{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665327”,
“token”: “5SxG3jdZG7eNNn0vvoUZTMOWxPfqxELipCqDWDCH6S4”,
“keyAuthorization”: “5SxG3jdZG7eNNn0vvoUZTMOWxPfqxELipCqDWDCH6S4.1ySj_xwEbwuESURCTXhwqaxo-Qfu72raoyMXmr5vcvU”
}
2017-03-19 15:54:38,270:DEBUG:acme.client:Storing nonce: LhE7YHnZMzqnhUpvyCAqskMUv3ZOUmaKRI0MmFz06eU
2017-03-19 15:54:41,273:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I.
2017-03-19 15:54:41,584:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “GET /acme/authz/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I HTTP/1.1” 200 1111
2017-03-19 15:54:41,585:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1111
Boulder-Request-Id: 4yFg2Qe1N9UGxYaJjFKVDDq-yjdkYgJMHP-fNQjvMyY
Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: e8AONYZjlUIy7t7yMy5KE7dChixa5wYciJKz88nZRgs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 19 Mar 2017 15:54:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Mar 2017 15:54:41 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “telebal.ru”
},
“status”: “pending”,
“expires”: “2017-03-26T15:54:33Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665324”,
“token”: “y-X6mxs1XCEfoCWCa8BRJr0mlESyoEF45cadINy7Zqs”
},
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665325”,
“token”: “FlRLPTSIAd9_i_Q2W2aKtcRzonuKDydSS-RJxemHKkY”,
“keyAuthorization”: “FlRLPTSIAd9_i_Q2W2aKtcRzonuKDydSS-RJxemHKkY.1ySj_xwEbwuESURCTXhwqaxo-Qfu72raoyMXmr5vcvU”
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665326”,
“token”: “H-bwns6llpqROm-TC9bhHXZyOUChCLnyjZ1nraAcZY8”
}
],
“combinations”: [
[
2
],
[
0
],
[
1
]
]
}
2017-03-19 15:54:41,586:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ.
2017-03-19 15:54:41,802:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “GET /acme/authz/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ HTTP/1.1” 200 1115
2017-03-19 15:54:41,803:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1115
Boulder-Request-Id: MmEgsoUr_Yg0LoXEwJu9tX7xL90hggHexyoCVVCk2-4
Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: 8YFQKno4hIXsR-N8sSPKyNx9bIXqbBmDO-odnR7YrvM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 19 Mar 2017 15:54:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Mar 2017 15:54:41 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “www.telebal.ru”
},
“status”: “pending”,
“expires”: “2017-03-26T15:54:33Z”,
“challenges”: [
{
“type”: “tls-sni-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665327”,
“token”: “5SxG3jdZG7eNNn0vvoUZTMOWxPfqxELipCqDWDCH6S4”,
“keyAuthorization”: “5SxG3jdZG7eNNn0vvoUZTMOWxPfqxELipCqDWDCH6S4.1ySj_xwEbwuESURCTXhwqaxo-Qfu72raoyMXmr5vcvU”
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665328”,
“token”: “Hz30Qt8GdzJqgNvVy0WUxBWjFuAGd-7reNmg8OB8yEg”
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665329”,
“token”: “UpwriMgVAJ65mlKjJAKV7MIbvZgQRssSKGq_SWBRvnk”
}
],
“combinations”: [
[
0
],
[
2
],
[
1
]
]
}
2017-03-19 15:54:44,807:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I.
2017-03-19 15:54:45,151:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “GET /acme/authz/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I HTTP/1.1” 200 1516
2017-03-19 15:54:45,152:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1516
Boulder-Request-Id: j_1M9mDpJ8k52BTGefTnEXaBArWP3XuVHJnf3rv5vYI
Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: JQMZT8_i02A3w2ZjyTk6M-Czdki8uzIColSvmA7n90E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 19 Mar 2017 15:54:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Mar 2017 15:54:45 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “telebal.ru”
},
“status”: “invalid”,
“expires”: “2017-03-26T15:54:33Z”,
“challenges”: [
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665324”,
“token”: “y-X6mxs1XCEfoCWCa8BRJr0mlESyoEF45cadINy7Zqs”
},
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge”,
“status”: 400
},
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665325”,
“token”: “FlRLPTSIAd9_i_Q2W2aKtcRzonuKDydSS-RJxemHKkY”,
“keyAuthorization”: “FlRLPTSIAd9_i_Q2W2aKtcRzonuKDydSS-RJxemHKkY.1ySj_xwEbwuESURCTXhwqaxo-Qfu72raoyMXmr5vcvU”,
“validationRecord”: [
{
“hostname”: “telebal.ru”,
“port”: “443”,
“addressesResolved”: [
“95.182.40.5”
],
“addressUsed”: “95.182.40.5”
}
]
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/nnn2R2a7QRxJ4oMqAyMHTyYuhYSbN9xYKJhMoAa4n0I/30665326”,
“token”: “H-bwns6llpqROm-TC9bhHXZyOUChCLnyjZ1nraAcZY8”
}
],
“combinations”: [
[
2
],
[
0
],
[
1
]
]
}
2017-03-19 15:54:45,153:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ.
2017-03-19 15:54:45,378:DEBUG:requests.packages.urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “GET /acme/authz/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ HTTP/1.1” 200 1524
2017-03-19 15:54:45,379:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1524
Boulder-Request-Id: Vin_L0B-9v5DwyAk8b2uo5sifa3J84eGfFMJqkncyew
Link: https://acme-staging.api.letsencrypt.org/acme/new-cert;rel="next"
Replay-Nonce: TweUuIs-kLlJO-XY50K8I00MjEREuh8knS0WZMFfCbE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sun, 19 Mar 2017 15:54:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 19 Mar 2017 15:54:45 GMT
Connection: keep-alive

{
“identifier”: {
“type”: “dns”,
“value”: “www.telebal.ru”
},
“status”: “invalid”,
“expires”: “2017-03-26T15:54:33Z”,
“challenges”: [
{
“type”: “tls-sni-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge”,
“status”: 400
},
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665327”,
“token”: “5SxG3jdZG7eNNn0vvoUZTMOWxPfqxELipCqDWDCH6S4”,
“keyAuthorization”: “5SxG3jdZG7eNNn0vvoUZTMOWxPfqxELipCqDWDCH6S4.1ySj_xwEbwuESURCTXhwqaxo-Qfu72raoyMXmr5vcvU”,
“validationRecord”: [
{
“hostname”: “www.telebal.ru”,
“port”: “443”,
“addressesResolved”: [
“95.182.40.5”
],
“addressUsed”: “95.182.40.5”
}
]
},
{
“type”: “http-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665328”,
“token”: “Hz30Qt8GdzJqgNvVy0WUxBWjFuAGd-7reNmg8OB8yEg”
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/FQAypqm54Gy60eJVaL-7VwkPXd2tS_hqa1zOc53yOzQ/30665329”,
“token”: “UpwriMgVAJ65mlKjJAKV7MIbvZgQRssSKGq_SWBRvnk”
}
],
“combinations”: [
[
0
],
[
2
],
[
1
]
]
}
2017-03-19 15:54:45,381:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.telebal.ru
Type: connection
Detail: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge

Domain: telebal.ru
Type: connection
Detail: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-03-19 15:54:45,381:INFO:certbot.auth_handler:Cleaning up challenges
2017-03-19 15:54:45,553:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/telebal.ru.conf produced an unexpected error: Failed authorization procedure. www.telebal.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge, telebal.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge. Skipping.
2017-03-19 15:54:45,554:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py”, line 418, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 650, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 87, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py”, line 296, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 265, in obtain_certificate
self.config.allow_subset_of_names)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 77, in get_authorizations
self._respond(resp, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 134, in _respond
self._poll_challenges(chall_update, best_effort)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 198, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.telebal.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge, telebal.ru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge

2017-03-19 15:54:45,554:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 896, in main
return config.func(config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 702, in renew
renewal.handle_renewal_request(config)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/renewal.py”, line 435, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 3 renew failure(s), 0 parse failure(s)

[/details]

hi vitali

pasting lots of log files is probably not going to help people

can you articulate your domains, what you expect certbot to do and what you are observing

Andrei

I’m trying to validate certificate renewal: ./certbot-auto renew --dry-run (in test mode, before starting tasks in cron). During command execution 3 domain successfully upgrade certificates, 2 get error. My server is Ubuntu 12.04, Apache 2.2.2, without Nginx
Error example:
Domain: telebal.ru
Type: connection
Detail: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge

hi @vitalii

you need to give a bit more context

how many of the domains are on the same server?

i have had a look at the domain in question and it looks like it’s not yet due for renewal

image.png846×661 25 KB

Andrei

otdih-abhazia.ru (www.otdih-abhazia.ru)
cvetochnik.com (www.cvetochnik.com)
otdih-krim.com (www.otdih-krim.com)
telebal.ru (www.telebal.ru)
travelandia.ru (www.travelandia.ru)
Total: 5

I know that the certificates must not be updated. I’m doing a test update (–dry-run) to add a job to cron.

Result of this test:
My server: … “value”: “cvetochnik.com”…
letsencrypt server response: … “status”: “valid”,…

My server: … “value”: “www.cvetochnik.com”…
letsencrypt server response: … “status”: “valid”,…

My server: … “value”: “otdih-krim.com”…
letsencrypt server response: … “status”: “valid”,…

My server: … “value”: “otdih-krim.com”…
letsencrypt server response: … “status”: “valid”,…

My server: … “value”: “travelandia.ru”…
letsencrypt server response: … “status”: “valid”,…

My server: … “value”: “www.travelandia.ru”…
letsencrypt server response: … “status”: “valid”,…

My server: … “value”: “otdih-abhazia.ru”…
letsencrypt server response: … “status”: “invalid”,…

My server: … “value”: “www.otdih-abhazia.ru”…
letsencrypt server response: … “status”: “invalid”,…

2017-03-21 08:42:54,828:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.otdih-abhazia.ru
Type: connection
Detail: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge

Domain: otdih-abhazia.ru
Type: connection
Detail: Failed to connect to 95.182.40.5:443 for TLS-SNI-01 challenge

My server: … “value”: “telebal.ru”…
letsencrypt server response: … “status”: “valid”,…

My server: … “value”: “www.telebal.ru”…
letsencrypt server response: … “status”: “valid”,…

Note, that otdih-abhazia.ru the default domain on port 80. You will see his name http://otdih-abhazia.ru and server address http://95.182.40.5
However, if you type https://95.182.40.5 - opens cvetochnik.com . I think the error is in one of the Apache configuration files, but don’t know where.

That’s why he’s testing with --dry-run ;)[quote=“vitalii, post:5, topic:30179”]
I think the error is in one of the Apache configuration files, but don’t know where.
[/quote]

Your Apache configurations might be helpful in this. You’d probably want to use a service like http://pastebin.com/ so you can link to the configurations in stead of pasting the whole bunch here…

default.conf http://pastebin.com/VtxpTUT8
default-ssl.conf http://pastebin.com/Xe80HZVt
cvetochnik.com.conf http://pastebin.com/pVvmzpEW
cvetochnik.com-le-ssl.conf http://pastebin.com/7aZ0rTDM
otdih-abhazia.ru.conf http://pastebin.com/MaUNrDnN
otdih-abhazia.ru-le-ssl.conf http://pastebin.com/CRJwmQGw
ports.conf http://pastebin.com/JX5tjzpQ

which files still needed?

I don’t see anything strange in your configuration…

What is strange to me is that in your first post the domains telebal.ru and www.telebal.ru were deemed invalid too, but in your next post, they are valid? How did that happen? Perhaps you just needed to try again?

If it keeps failing, you might want to take a look at the webroot plugin which doesn’t use the tls-sni-01, but the http-01 challenge.

Unfortunately, you can’t just change method of validating easily when you’ve already got a cert. The documentation says --dry-run is for renew or certonly, but it might just work with other modes of operation…

You might want to try something like:

sudo ./certbot-auto -i apache -a webroot --dry-run -w /var/www -d otdih-abhazia.ru -d www.otdih-abhazia.ru

I really have no idea if it works with the --dry-run. Using --test-cert unfortunately would result in a fake, non-working certificate for your real site

Solved!!
How To Set Up Multiple SSL Certificates on One IP with Apache on Ubuntu 12.04

sudo nano /etc/apache2/ports.conf
NameVirtualHost *:80
*NameVirtualHost :443
(incorrectly between the tags IfModule mod_ssl NameVirtualHost *:443…IfModule)

and in default-ssl.conf
replace on VirtualHost *:443

I found a bug in 2 configuration files

Hmm, didn’t think having that NameVirtualHost inside the <IfModule> would make a difference. And _default_ should be equal to * according to the documentation.

But I’m glad you’ve got things working!

ports.conf has comments

thank you for caring!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.