Why is this trying to access my server?


#1

I have successfully created certs with letsencrypt certbot-auto, but suddenly I just can’t do it…

I want to be able to create cert(s) and get the prepared on my disk. The bot can’t test against my server, because that is a separate machine all together, and I have not (yet) installed the certs there, nor can the bot do it while doing this. Therefore it has the options certonly --authenticator standalone right?

$sudo bin/certbot-auto certonly --authenticator standalone -d <domain.1> -d <domain.2> -d <domain.3>

Failed authorization procedure. <domain.1> (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01 challenge, <domain.2> (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to xxx.xxx.xxx.xx.25:443 for TLS-SNI-01 challenge, <domain.3> (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to xxx.xxx.xxx.xxx:443 for TLS-SNI-01 challenge

  1. I would want the certs to appear in /etc/letsencrypt but they do not.
  2. Why does the bot try to connect to the domain(s) in questions, as the cert does not exist yet?

The IP it tries to connect is not localhost, it tries to connect to internet service hosting those domains…


#2

They don’t appear there because they haven’t been issued yet.

Because that’s how the protocol works. When you ask for a cert for a given hostname, the Let’s Encrypt servers attempt to connect to that hostname to verify that you control it. They also assume that the machine you’re running the client on is the machine that corresponds to the hostname(s) you’re seeking a cert for. If this is not the case, your situation is a bit more complicated and will likely require some special handling.


#3

OK thanks. Well, the DNS was pointing to my local machine at the time when I initially created the certs… But no more, as they are in production.

I’ll figure out how I handle this. Thanks!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.