The server could not connect to the client to verify the domain ERROR

derMOE · February 8, 2018, 3:04pm

Hi folks,

I know there are some topics like mine in the forum but they doesn’t help me yet.

We have a nginx reverse proxy on a CentOS-System. Months before I got my Letsencrypt certificate with these command:

./letsencrypt-auto certonly --standalone -d demoftm.dimetis.de

…everything works fine.

No I want to create a new certificate for redminesrg.dimetis.de and it doesn’t work.

My nginx configuration for this domain:

server {
  listen      80;
  server_name redminesrg.dimetis.de;
  return 301 https://$server_name$request_uri;
}

server {
   listen       192.208.106.13:443 ssl;
    server_name  redminesrg.dimetis.de;
    ssl_certificate      /etc/letsencrypt/live/random/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/random/privkey.pem;
    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers  on;
    
    location / {
        proxy_pass https://localhost:5443/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP       $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   html;
    }
}

The certbot got an update and I tryed the command:

./letsencrypt-auto certonly --standalone -d redminesrg.dimetis.de

I just get the following error:

Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for redminesrg.dimetis.de
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. redminesrg.dimetis.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://redminesrg.dimetis.de/.well-known/acme-challenge/5Ke4n0v-dNn47RN5SaOXlXgKhQc1O61Cn0_GVAtaAAo: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: redminesrg.dimetis.de
   Type:   connection
   Detail: Fetching
   http://redminesrg.dimetis.de/.well-known/acme-challenge/5Ke4n0v-dNn47RN5SaOXlXgKhQc1O61Cn0_GVAtaAAo:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

For the command, Ive shutdown the firewall and checked the hostname…everything is fine.

Has anybody an idea?

mproto · February 8, 2018, 4:00pm

You’re using the http-01 verification method, so LetsEncrypt is trying to contact your server (redminesrg.dimetis.de) on port 80, which is timing-out. I’m trying it myself from my VPS and I see the same:

telnet: connect to address 80.150.105.122: Operation timed out

derMOE · February 8, 2018, 4:03pm

Hi mproto,

which method should I use for https?! How does the command looks like?!

Thx for your assistance!

mproto · February 8, 2018, 4:10pm

As far as I know there is no method to try HTTPS directly, though your nginx configuration does indicate it should redirect all HTTP traffic to HTTPS, which should work (I renew my certs this very same way).

The fact that HTTP isn’t reachable on your IP to perform the redirection seems to be the problem. Do you have a firewall or other network device that is blocking port 80 traffic?

Here’s what I’m doing when I try to test it myself, from my VPS:

$ telnet redminesrg.dimetis.de 80
Trying 80.150.105.122…
telnet: connect to address 80.150.105.122: Connection timed out

derMOE · February 9, 2018, 11:05am

OMG, now it works. Our firewall has redirected the port 80 to 443, then I used this command on the nginx:

./certbot --authenticator standalone --installer nginx -d redminesrg.dimetis.de --pre-hook “service nginx stop” --post-hook “service nginx start”

Thx for your help!!!

system · March 11, 2018, 11:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with nginx and letsencrypt Server	4	1950	July 21, 2016
Problem with generate cert Help	4	1226	January 12, 2017
Problem with SSL certificate on nginx proxy manager Help	2	1348	March 13, 2022
C'ant activate my reverse proxy Help	6	423	July 11, 2022
The https not working after create letsencrypt Help	3	734	June 7, 2019

The server could not connect to the client to verify the domain ERROR

Related topics