TLS-SNI Challenge Not Passing - LetsEncrypt Unable to Connect


#1

Please fill out the fields below so we can help you better.

My domain is: w3i3.org

I ran this command: root@apostle:~# letsencrypt --apache -d w3i3.org

It produced this output:root@tle:~# letsencrypt --apache -d test.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for test.org
Waiting for verification…test
Cleaning up challenges
Failed authorization procedure. test.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 1.1.1.1:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: test.org
    Type: connection
    Detail: Failed to connect to 1.1.1.1:443 for TLS-SNI-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    root@tle:~#

My operating system is (include version): Ubuntu 16.04

My web server is (include version): Apache 2.4.18
root@tle:~# letsencrypt --apache -d test.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for test.org
Waiting for verification…test
Cleaning up challenges
Failed authorization procedure. test.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 1.1.1.1:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: test.org
    Type: connection
    Detail: Failed to connect to 1.1.1.1:443 for TLS-SNI-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that noroot@tle:~# letsencrypt --apache -d test.org
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    tls-sni-01 challenge for test.org
    Waiting for verification…test
    Cleaning up challenges
    Failed authorization procedure. test.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 1.1.1.1:443 for TLS-SNI-01 challenge

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: test.org
    Type: connection
    Detail: Failed to connect to 1.1.1.1:443 for TLS-SNI-01
    challenge

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    root@tle:~#

    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    root@tle:~#

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin 1.831


#2

Your existing certificates won’t matter. Self-signed, from a different CA, expired, whatever it doesn’t matter for the ACME challenge code.

Normally a certificate is proof of your identity, but the challenge is there to validate your identity anyway, so that’s why it ignores certificates you already have.


#3

This is usually caused by a firewall blocking inbound connections, or by not running Certbot on the same machine as the Apache server. (It could also be caused by Certbot having trouble changing your Apache server’s configuration, perhaps, for example, if you have multiple virtual hosts defined within the same Apache configuration file.)


#4

hi @wizard

I can resolve your domain

But I can’t connect to it.

If you are fire-walling incoming connections then review this article:

Note: certbot works on port 80 and 443 for HTTP and TLS-SNI challenges.

LetsEncrypt also does not publish public IPs.

Review this conversation: Letsencrypt-win-simple unable to complete challenges - Firewall Blocking Incoming Requests

Andrei


#5

I have Apache stopped at the moment, I am transferring several domains
to this server and their virtual domains were originally set up under an
earlier version of Apache on an earlier version of Ubuntu. A couple of
the domains have full certificates, not w3i3.org. That is the easy part,
I am working on it and believe it will all come together.

Thanks


#6

I can also point out that --apache requires that Apache is already running (or at least that it can successfully restart it with apachectl).


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.