The server could not connect to the client to verify the domain


#1

Hi,

I want to install Letsencrypt on a Rpi2 running Domoticz
But when Letsencrypt wants to create a temporarly file in the www directory of domoticz it gets the following error:

My domain is: xxxxx.duckdns.org

I ran this command:
sudo /etc/letsencrypt/letsencrypt-auto certonly
And selected 2. Place files in webroot directory (webroot)

filled in xxxxx.duckdns.org
and webroot: /home/pi/domoticz/www

It produced this output:

Failed authorization procedure. xxxxx.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxxxx.duckdns.org/.well-known/acme-challenge/QSxV1qdF1H8rx_g2UmlniaBuxkM3RlctXQdfm3y0XcU: Connection refused

My web server is (include version): Domoticz v 4.97

The operating system my web server runs on is (include version): Raspbian stretch full for Raspberry Pi 2B

I am running a router/firewall with pfsense
I have created a port foward on TCP port 443 and 80
I can connect to domoticz remotely with https://xxxxx.duckdns.org, so the port forwarding is working

Can somebody guide me with this problem?

Greetzzzz,

Gerben


#2

Hi @gschmidt

looks like a firewall.

Please share your domain name.


#3

If it is a firewall problem, why can I access domoticz remotely then?
gschmidt.duckdns.org


#4

Thanks. There you see the problem:


Domainname Http-Status redirect Sec. G
• http://gschmidt.duckdns.org/
84.28.65.36 -2 1.120 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 84.28.65.36:80
• http://www.gschmidt.duckdns.org/
84.28.65.36 -2 1.106 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 84.28.65.36:80
• https://gschmidt.duckdns.org/
84.28.65.36 200 5.677 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
• https://www.gschmidt.duckdns.org/
84.28.65.36 200 5.667 N
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
• http://gschmidt.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
84.28.65.36 -2 1.110 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 84.28.65.36:80
• http://www.gschmidt.duckdns.org/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
84.28.65.36 -2 1.113 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 84.28.65.36:80

It’s

  • a firewall which blocks port 80 or
  • if it is self hosted: Your ISP blocks port 80

If you want to use http - validation, your server must have an open port 80.


#5

https://letsdebug.net/gschmidt.duckdns.org/11105


#6

Ah thanks,

Although I have port forward TCP 80 in pfSense, I need to figure out where the firewall problem is: in my router or in the RPi

I Also read that it is also possible not to open port 80 and use:
–preferred-challenges=dns and create a DNS TXT record (as described) to validate the ownership

How does this exactly work?

Greetzzz,

Gerben


#7

Yes, this is possible. Check the last section there ( https://check-your-website.server-daten.de/?q=gschmidt.duckdns.org ):


TXT - Entries

Domainname TXT Entry Status
gschmidt.duckdns.org
_acme-challenge.gschmidt.duckdns.org
_acme-challenge.www.gschmidt.duckdns.org
_acme-challenge.gschmidt.duckdns.org.gschmidt.duckdns.org doesn’t exist, ok
_acme-challenge.www.gschmidt.duckdns.org.www.gschmidt.duckdns.org doesn’t exist, ok

You need txt entry (2), perhaps (3). Don’t create something like (4) or (5).

But: New certificate validation -> new value. So your dns provider should support an API you can use with Certbot (or acme.sh). If not, you must create such a txt entry manual.


#8

Hi,

Is this post explaining what I want?
[Raspberry pi with duckdns DDNS failing to verify]

When I try to run:
sudo certbot certonly --manual --preferred-challenges dns --manual-auth-hook /home/pi/duckdns/auth.sh --manual-cleanup-hook /home/pi/duckdns/cleanup.sh

Certbot is not found. Where can i find the certbot script?


#9

According to your first post, you have it at /etc/letsencrypt/letsencrypt-auto.

(Certbot used to be known as “letsencrypt”. letsencrypt-auto automatically upgrades itself – unless you tell it not to – so you still have the current version regardless of the file name.)


#10

Hi,

Thanx…Working!

Greetzzz,

Gerben


#11

A post was split to a new topic: Need a list of Let’s Encrypt IP addresses