I’m trying to renew the Let’s Encrypt certificate for gardneranddomm.be but I get an error message saying that the server can’t connect to the client to verify the domain. I double checked the DNS records and the website is publicly reachable.
It produced this output:
Processing /etc/letsencrypt/renewal/www.gardneranddomm.be.conf
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for gardneranddomm.be
tls-sni-01 challenge for www.gardneranddomm.be
Waiting for verification…
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/www.gardneranddomm.be.conf produced an unexpected error: Failed authorization procedure. gardneranddomm.be (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data, www.gardneranddomm.be (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.gardneranddomm.be/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
My web server is (include version): Server version: Apache/2.4.18 (Ubuntu) / Server built: 2017-06-26T11:58:04
The operating system my web server runs on is (include version): Ubuntu 16.04.2 LTS (Xenial Xerus)
My hosting provider, if applicable, is: -
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The good news: You have until 2017/8/8 to correct the problem (that is when the cert for both names will expire).
The bad news: The problem is not obvious…
As I can reach both site names and they both return the valid cert, I’m thinking that there may be a firewall or IPS in use that may be blocking the authentication/verification requests.
@deMENSEN-JVD, could you try the process again? I also don’t immediately see anything wrong that should have caused this problem (though @rg305’s suggestion of a firewall is a good one).
@cpu, can you get any more log information that might narrow down what Let’s Encrypt thinks is the trouble in connecting to this site?
Thank you for the replies.
I did some further testing and I looked especially to our firewall and IPS.
First I tried a dry run, but got the same error and no anomalies showed up in the logs of our firewall and IPS.
Just to be sure I disabled the IPS for a second and did another dry run, verification succeeded
So I wanted to know why the IPS is blocking the connection and did not log about it, so I enabled it again, did another dry run and this time it just worked (?!). I will check for known bugs and might need to update the IPS…
I did not renew the certificate for real yet, because I want to be sure our cron job works, but I guess this is fixed by just disabling and enabling the IPS.
