The client lacks sufficient authorization on subdomains

Osiris · January 7, 2016, 2:15am

Note: if you follow @pfg’s advice and delete the /live/ and /archive/ directories, you will have to modify your Apache configuration too. I.e.: delete the $domain-le-ssl.conf files. Otherwise, you’ll run into that Action 'configtest' failed error above. Then you could try the Let’s Encrypt client again.

Hopefully you won’t get that “Failed to connect to host for DVSNI challenge” error this time…

crt.sh doesn’t mention any extra certificates for your domain: https://crt.sh/?Identity=%arimil.com&iCAID=7395

So it didn’t issue anything I guess… Pity.

Renari · January 7, 2016, 2:20am

So I’ve deleted the apache config files as well as the live and archive files and now running letsencrypt gives a “could not find cert file” error.

2016-01-07 02:20:20,615:DEBUG:letsencrypt.storage:Expected symlink /etc/letsencrypt/live/arimil.com/cert.pem for cert does not exist. 2016-01-07 02:20:20,616:DEBUG:letsencrypt.cli:Exiting abnormally: Traceback (most recent call last): File "/root/letsencrypt/venv/bin/letsencrypt", line 9, in <module> load_entry_point('letsencrypt', 'console_scripts', 'letsencrypt')() File "/root/letsencrypt/letsencrypt/cli.py", line 1398, in main return args.func(args, config, plugins) File "/root/letsencrypt/letsencrypt/cli.py", line 559, in run lineage = _auth_from_domains(le_client, config, domains) File "/root/letsencrypt/letsencrypt/cli.py", line 381, in _auth_from_domains action, lineage = _treat_as_renewal(config, domains) File "/root/letsencrypt/letsencrypt/cli.py", line 237, in _treat_as_renewal ident_names_cert, subset_names_cert = _find_duplicative_certs(config, domains) File "/root/letsencrypt/letsencrypt/cli.py", line 206, in _find_duplicative_certs candidate_names = set(candidate_lineage.names()) File "/root/letsencrypt/letsencrypt/storage.py", line 461, in names raise errors.CertStorageError("could not find cert file") CertStorageError: could not find cert file

Osiris · January 7, 2016, 2:29am

Hmm, apparently it checks the existing .conf file in the /renewal/ directory… You could move that file (probably /renewal/arimil.com.conf) to some place letsencrypt won’t find it for safekeeping and try again.

Renari · January 7, 2016, 2:32am

This puts us back at the DVSNI error.

2016-01-07 02:31:19,798:DEBUG:letsencrypt.cli:Exiting abnormally: Traceback (most recent call last): File "/root/letsencrypt/venv/bin/letsencrypt", line 9, in <module> load_entry_point('letsencrypt', 'console_scripts', 'letsencrypt')() File "/root/letsencrypt/letsencrypt/cli.py", line 1398, in main return args.func(args, config, plugins) File "/root/letsencrypt/letsencrypt/cli.py", line 559, in run lineage = _auth_from_domains(le_client, config, domains) File "/root/letsencrypt/letsencrypt/cli.py", line 404, in _auth_from_domains lineage = le_client.obtain_and_enroll_certificate(domains) File "/root/letsencrypt/letsencrypt/client.py", line 283, in obtain_and_enroll_certificate certr, chain, key, _ = self.obtain_certificate(domains) File "/root/letsencrypt/letsencrypt/client.py", line 266, in obtain_certificate return self._obtain_certificate(domains, csr) + (key, csr) File "/root/letsencrypt/letsencrypt/client.py", line 224, in _obtain_certificate authzr = self.auth_handler.get_authorizations(domains) File "/root/letsencrypt/letsencrypt/auth_handler.py", line 84, in get_authorizations self._respond(cont_resp, dv_resp, best_effort) File "/root/letsencrypt/letsencrypt/auth_handler.py", line 142, in _respond self._poll_challenges(chall_update, best_effort) File "/root/letsencrypt/letsencrypt/auth_handler.py", line 204, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) FailedChallenges: Failed authorization procedure. fgo.arimil.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge, wsdb.arimil.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge, files.arimil.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge, arimil.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

Osiris · January 7, 2016, 2:35am

Yes and now it makes more sense… Because in the mean time I did some more debugging:

osiris@desktop ~ $ openssl s_client -connect arimil.com:443 -servername arimil.com
CONNECTED(00000003)
139895265015440:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 327 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
osiris@desktop ~ $ telnet arimil.com 443
Trying 45.63.0.220...
Connected to arimil.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: arimil.com

HTTP/1.1 200 OK
Date: Thu, 07 Jan 2016 02:33:34 GMT
Server: Apache/2.2.22 (Debian)
Vary: Accept-Encoding
Content-Length: 1300
Content-Type: text/html;charset=UTF-8

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
(...)

That’s VERY strange! Obviously…

Your server configuration is very… Very fucked up in its current state. It responds to normal non-TLS traffic on port 443. I think this is the reason the LE client can’t properly do its normal thing.

pfg · January 7, 2016, 2:38am

Take a look at this thread, where OP was also serving HTTP on port 443:

Renari · January 7, 2016, 2:51am

I found

[code]

NameVirtualHost *:443 # If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl # to # Server Name Indication for SSL named virtual hosts is currently not # supported by MSIE on Windows XP. Listen 443 Listen 443 [/code] In /etc/apache2/ports.conf

I commented out these lines and confirmed that apache is no longer listening on port 443.

Then letsencrypt still outputs DVSNI error.

2016-01-07 02:50:11,681:DEBUG:letsencrypt.cli:Exiting abnormally: Traceback (most recent call last): File "/root/letsencrypt/venv/bin/letsencrypt", line 9, in <module> load_entry_point('letsencrypt', 'console_scripts', 'letsencrypt')() File "/root/letsencrypt/letsencrypt/cli.py", line 1398, in main return args.func(args, config, plugins) File "/root/letsencrypt/letsencrypt/cli.py", line 559, in run lineage = _auth_from_domains(le_client, config, domains) File "/root/letsencrypt/letsencrypt/cli.py", line 404, in _auth_from_domains lineage = le_client.obtain_and_enroll_certificate(domains) File "/root/letsencrypt/letsencrypt/client.py", line 283, in obtain_and_enroll_certificate certr, chain, key, _ = self.obtain_certificate(domains) File "/root/letsencrypt/letsencrypt/client.py", line 266, in obtain_certificate return self._obtain_certificate(domains, csr) + (key, csr) File "/root/letsencrypt/letsencrypt/client.py", line 224, in _obtain_certificate authzr = self.auth_handler.get_authorizations(domains) File "/root/letsencrypt/letsencrypt/auth_handler.py", line 84, in get_authorizations self._respond(cont_resp, dv_resp, best_effort) File "/root/letsencrypt/letsencrypt/auth_handler.py", line 142, in _respond self._poll_challenges(chall_update, best_effort) File "/root/letsencrypt/letsencrypt/auth_handler.py", line 204, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) FailedChallenges: Failed authorization procedure. fgo.arimil.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge, files.arimil.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge, arimil.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge, wsdb.arimil.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge

chamunks · January 7, 2016, 6:53am

That must have been an artifact from the LetsEncrypt software because my Apache configs didn't have anything to do with port 443 in them at the time.

Renari · January 8, 2016, 1:48am

So I never solved this issue but today I backed up everything on my server and moved to debian 8. After setting everything up it worked on the first try.