The server could not connect to the client: raspberrypi nginx


#1

Hello I’m using Raspbian GNU/Linux 7 (wheezy)
the current stable certbox 0.12.0, GIT pulled https://github.com/letsencrypt/letsencrypt
and nginx version: nginx/1.11.10
(built by gcc 4.6.3 (Debian 4.6.3-14+rpi1)
built with OpenSSL 1.0.1t 3 May 2016
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --pid-path=/run/nginx.pid --lock-path=/var/lock/nginx --http-log-path=/var/log/nginx/access.log --with-http_ssl_module)

I have two web pages visible, one http and one https
http://rupert160.privatedns.org
https://rupert160.privatedns.org
these are dyndns’d using //freedns.afraid.org/dynamic/update.php
and I have visible pages with self signed certs installed created using openssl to enable the https page

the contents of my /etc/nginx/nginx.conf file are:
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
include sites-enabled/*;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
}

and the contents of my site block (virtual hosts) are at /etc/nginx/sites-enabled/rupert160.privatedns.org is:
server {
listen 80;
server_name rupert160.privatedns.org;
location / {
root /var/www/rupert160.privatedns.org/http;
index index.html index.htm;
}
}
server {
listen 443 ssl;
server_name rupert160.privatedns.org;
ssl_certificate /etc/ssl/cacert.pem;
ssl_certificate_key /etc/ssl/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/www/rupert160.privatedns.org/https;
index index.html index.htm;
}
}

I am failing to run the following command because the the server cannot reach back to my client to do the handshake:
rupert@raspberrypi ~/projects/https/letsencrypt $ ./letsencrypt-auto run --agree-tos --nginx -d rupert160.privatedns.org
Requesting root privileges to run certbot…
/home/rupert/.local/share/letsencrypt/bin/letsencrypt run --agree-tos --nginx -d rupert160.privatedns.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for rupert160.privatedns.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. rupert160.privatedns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 124.168.238.216:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: rupert160.privatedns.org
   Type:   connection
   Detail: Failed to connect to 124.168.238.216:443 for TLS-SNI-01
   challenge

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I’m hoping somebody might have some ideas to trouble shoot this, I if it’s a bug I’m happy to triage.

Thanks in advance,


#2

Your site isn’t reachable from the public internet, apparently not from Let’s Encrypts servers, but neither from my end.

Is the IP address listed also really your current public IP address? Or has it changed recently and is the dynamic DNS service lagging behind?

Do you have your Raspberry Pi behind a NAT router? Did you portmap port 80 and 443 to the Raspberry Pi?


#3

Osiris,

Thanks for responding. It is true that it is turned off, I disabled it after sending this post for security purposes. Feel free to have another poke, I’ve enabled the pages again…

Regards, Rupert


#4

Still not able to connect. Please check your router/firewall et cetera, because rupert160.privatedns.org isn’t publically accessible.


#5

Osiris,

Thankyou - I discovered that althought I could point to it using a the url, the rest of the world could not. My ISP was blocking at infrastructure level. So I needed to login to my provider and on the admin interface, turn off port blocking there too. thanks for your patience Osiris


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.