The server could not connect to the client for DV, Failed to connect to host for DVSNI challenge


#1

Dear Lets Encrypt Support Team,

I have a following domain: http://ankitshah.us
This domain points to following AWS image whose IP is: 23.22.140.172

when i run the following command:
ubuntu@ip-10-149-104-73:~/letsencrypt$ sudo ./venv/bin/letsencrypt auth

It gives me this error on the blue screen first:
Unable to run the command: apache2ctl configtest
Nginx Restart Failed!
nginx: [emerg] could not build the server_names_hash, you should increase server_names_hash_bucket_size: 64

It also gives me the following error

Failed authorization procedure. ankitshah.us (dvsni): connection :: The server could not connect to the client for DV :: Failed to connect to host for DVSNI challenge

IMPORTANT NOTES:

  • The following ‘connection’ errors were reported by the server:

    Domains: ankitshah.us
    Error: The server could not connect to the client for DV

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contains the right IP address. Additionally, please check that your
    computer has publicly routable IP address and no firewalls are
    preventing the server from communicating with the client.

My DNS records entry is pointing to AWS public IP,
How would i make the DVSNI challenge pass ?


#2

This is what you need to fix.

Perhaps the client should run nginx -t (for [T]est configuration) and check the error code?


#3

I have the same issue. But after ./venv/bin/letsencrypt -d domain auth my nginx configs reverted.


#4

hello i have somethin like that problem… what can i do to fix it the dns a/aaa record? thanks.

Failed authorization procedure. my.domain (dvsni): connection :: The server could not connect to the client for DV :: Failed to connect to host for DVSNI challenge

IMPORTANT NOTES:

  • If you lose your account credentials, you can recover through
    e-mails sent to support@my.domain.

  • The following ‘connection’ errors were reported by the server:

    Domains: my.domain
    Error: The server could not connect to the client for DV

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contains the right IP address. Additionally, please check that your
    computer has publicly routable IP address and no firewalls are
    preventing the server from communicating with the client.

  • Your account credentials have been saved in your Let’s Encrypt
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Let’s
    Encrypt so making regular backups of this folder is ideal.


#5

I too have this problem. Admittedly I haven’t looked into it too much, and I’m new to ssl certs alltogether.


#6

One possibility here, that has bit me before, was a server that hadn’t been using TLS before was blocking port 443 at the firewall. That stops DVSNI from running, too.


#7

Thanks - it was just a stupid typo. Had opened the wrong port on my router. Amazazing! :smiley:


#8

Hi let’s encrypt experts,

I had the same error message on Ubuntu 14.04.3 LTS with apache2 when calling letsencrypt-auto.
After stopping apache2 and using letsencrypt -auth instead (selecting Standalone mode) I succeeded and received the staging-CA sigend cert chain.
I guess somehow letsencrypt-auto didn’t succeed to control my apache2, but I don’t know how to find out why.
I personally can live with the standalone-method, but this isn’t very satisfying, because of the needed downtime of the web service.
Let me know if I somehow can contribute helpful debug information (log files etc.).

Regards,
Ralph


#9

use --verbose mode with letsencrypt-auto so you can see the errors etc https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt-auto#L24

letsencrypt-auto --verbose


#10

Hi eva2000,
thanks for the hint.
I tried and again I see the error message as before, but just a little bit more eloquent.
Unfortunately without information how letsencrypt-auto tries to control my apache2 and where it failed:

+----------------------------------------------------------------------+ ¦ Saving debug log to /var/log/letsencrypt/letsencrypt.log ¦ ¦ Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org ¦ ¦ Generating key (2048 bits): ¦ ¦ /etc/letsencrypt/keys/0008_key-letsencrypt.pem ¦ ¦ Creating CSR: /etc/letsencrypt/csr/0008_csr-letsencrypt.pem ¦ ¦ Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org ¦ ¦ Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org ¦ ¦ Performing the following challenges: ¦ ¦ dvsni challenge for rabix.de ¦ ¦ Waiting for verification... ¦ ¦ Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org ¦ ¦ Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org ¦ ¦ Reporting to user: The following 'unauthorized' errors were ¦ ¦ reported by the server: ¦ ¦ Domains: rabix.de ¦ ¦ Error: The client lacks sufficient authorization ¦ ¦ To fix these errors, please make sure that your domain name was ¦ ¦ entered correctly and the DNS A/AAAA record(s) for that domain ¦ ¦ contains the right IP address. ¦ ¦ Cleaning up challenges ¦ +----------------------------------------------------------------------+

I also had a look into /var/log/letsencrypt/letsencrypt.log but nothing obvious (at least to my eyes).
For deeper analysis I put the log on my webserver: http://rabix.de/letsencrypt.log

Thanks,
Ralph


#11

I see

2015-10-25 19:21:13,622:INFO:letsencrypt.reporter:Reporting to user: The following 'unauthorized' errors were reported by the server:

Domains: rabix.de
Error: The client lacks sufficient authorization

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contains the right IP address.

#12

Hi,

yes, thanks, but this error seems to me due to letsencrypt-auto is not able to place the challenge information on my apache2 web server. Since “letsencrypt -auth” as standalone works fine, the DNS record itself seems to be correct, but it’s probably (only) an issue in taking over the control of my apache2. Unfortunately I don’t find any information in the log about how letsencrypt-auto tries to get control over it. I checked the timestamps of all files beyond /etc/apache2/ but no config files has been touched.
Remark: It’s not an issue of the permission, because the config files belong to and are writable by “root” and letsencrypt-auto also uses “root” (via sudo).
Any further ideas to analyse the problem are welcome.

Thanks,
Ralph


#13

you’re using acme-staging.api.letsencrypt.org so I assume you’ve received your beta invite approval https://community.letsencrypt.org/t/beta-program-announcements/1631 ?


#14

I’ve applied to join the beta program, but did not yet receive the invite approval.
As I understood this is the reason why I currently solely got staging certs, but that’s okay for current testing now.
The only question is why it works with “letsencrypt -auth” in standalone mode but not with “letsencrypt-auto”, or won’t letsencrypt try to control my apache before I’m registrated as beta test user?


#15

Actually, the staging network acme-staging.api.letsencrypt.org is wide open. It’s intended for test and development.

It’s acme-v01.api.letsencrypt.org that’s the currently invite-only endpoint.


#16

@jcjones thats for the clarification :slight_smile:


#17

Hi experts,
thanks so far for your hints, but there is still the question why I succeed with “letsencrypt -auth” in standalone mode while failing when trying to use running apache via “letsencrypt-auto”. Are there any further options to switch on deeper (than --verbose) logging?


#18

Hi there,

I am also having the same error (Error: The server could not connect to the client for DV). I received my invitation and made sure to type my domains correctly.

Any solution?

Thanks,
~ Shanee


#19

Ok, got this working by running -a manual but now having a different error:
Self-verify of challenge failed, authorization abandoned.


#20

I’m having the exact same problem. Have you figured it out yet?