I’m trying to renew the Let’s Encrypt certificate for gardneranddomm.be but I get an error message saying that the server can’t connect to the client to verify the domain. I double checked the DNS records and the website is publicly reachable.
My domain is: gardneranddomm.be
I ran this command: certbot renew
It produced this output:
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for gardneranddomm.be
tls-sni-01 challenge for www.gardneranddomm.be
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/www.gardneranddomm.be.conf produced an unexpected error: Failed authorization procedure. gardneranddomm.be (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data, www.gardneranddomm.be (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
1 renew failure(s), 0 parse failure(s)
My web server is (include version): Server version: Apache/2.4.18 (Ubuntu) / Server built: 2017-06-26T11:58:04
The operating system my web server runs on is (include version): Ubuntu 16.04.2 LTS (Xenial Xerus)
My hosting provider, if applicable, is: -
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The good news: You have until 2017/8/8 to correct the problem (that is when the cert for both names will expire).
The bad news: The problem is not obvious…
As I can reach both site names and they both return the valid cert, I’m thinking that there may be a firewall or IPS in use that may be blocking the authentication/verification requests.
SSL Labs finds nothing wrong:
@deMENSEN-JVD, could you try the process again? I also don’t immediately see anything wrong that should have caused this problem (though @rg305’s suggestion of a firewall is a good one).
@cpu, can you get any more log information that might narrow down what Let’s Encrypt thinks is the trouble in connecting to this site?
184.108.40.206:443: read: connection reset by peer in the VA logs.
Coincidentally this particular error will soon be returned to the user directly instead of the more ambiguous “Error getting validation data”.
Thank you for the replies.
I did some further testing and I looked especially to our firewall and IPS.
First I tried a dry run, but got the same error and no anomalies showed up in the logs of our firewall and IPS.
Just to be sure I disabled the IPS for a second and did another dry run, verification succeeded
So I wanted to know why the IPS is blocking the connection and did not log about it, so I enabled it again, did another dry run and this time it just worked (?!). I will check for known bugs and might need to update the IPS…
I did not renew the certificate for real yet, because I want to be sure our cron job works, but I guess this is fixed by just disabling and enabling the IPS.
Thank you for the help!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.