The server could not connect to the client to verify the domain

Hi,

I want to install Letsencrypt on a Rpi2 running Domoticz
But when Letsencrypt wants to create a temporarly file in the www directory of domoticz it gets the following error:

My domain is: xxxxx.duckdns.org

I ran this command:
sudo /etc/letsencrypt/letsencrypt-auto certonly
And selected 2. Place files in webroot directory (webroot)

filled in xxxxx.duckdns.org
and webroot: /home/pi/domoticz/www

It produced this output:

Failed authorization procedure. xxxxx.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxxxx.duckdns.org/.well-known/acme-challenge/QSxV1qdF1H8rx_g2UmlniaBuxkM3RlctXQdfm3y0XcU: Connection refused

My web server is (include version): Domoticz v 4.97

The operating system my web server runs on is (include version): Raspbian stretch full for Raspberry Pi 2B

I am running a router/firewall with pfsense
I have created a port foward on TCP port 443 and 80
I can connect to domoticz remotely with https://xxxxx.duckdns.org, so the port forwarding is working

Can somebody guide me with this problem?

Greetzzzz,

Gerben

Hi @gschmidt

looks like a firewall.

Please share your domain name.

If it is a firewall problem, why can I access domoticz remotely then?
gschmidt.duckdns.org

Thanks. There you see the problem:

It's

• a firewall which blocks port 80 or
• if it is self hosted: Your ISP blocks port 80

If you want to use http - validation, your server must have an open port 80.

https://letsdebug.net/gschmidt.duckdns.org/11105

Ah thanks,

Although I have port forward TCP 80 in pfSense, I need to figure out where the firewall problem is: in my router or in the RPi

I Also read that it is also possible not to open port 80 and use:
–preferred-challenges=dns and create a DNS TXT record (as described) to validate the ownership

How does this exactly work?

Greetzzz,

Gerben

Yes, this is possible. Check the last section there ( https://check-your-website.server-daten.de/?q=gschmidt.duckdns.org ):

TXT - Entries

You need txt entry (2), perhaps (3). Don't create something like (4) or (5).

But: New certificate validation -> new value. So your dns provider should support an API you can use with Certbot (or acme.sh). If not, you must create such a txt entry manual.

Hi,

Is this post explaining what I want?
[Raspberry pi with duckdns DDNS failing to verify]

When I try to run:
sudo certbot certonly --manual --preferred-challenges dns --manual-auth-hook /home/pi/duckdns/auth.sh --manual-cleanup-hook /home/pi/duckdns/cleanup.sh

Certbot is not found. Where can i find the certbot script?

According to your first post, you have it at /etc/letsencrypt/letsencrypt-auto.

(Certbot used to be known as "letsencrypt". letsencrypt-auto automatically upgrades itself -- unless you tell it not to -- so you still have the current version regardless of the file name.)

Hi,

Thanx…Working!

Greetzzz,

Gerben

A post was split to a new topic: Need a list of Let’s Encrypt IP addresses

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.