Error installing LetsEncrypt SSL: (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain
Solution 1
Your nginx config looks correct.
On a hunch, I ran nmap
against your domain (since you included it in your question); it would appear that you are currently filtering port 80, so there is no way for LetsEncrypt to connect externally and verify.
You'll need to make sure that port 80 is made externally accessible on the local firewall of the server in question (as well as any ACLs which might be in place on a vhost provider or similar).
Solution 2
This error may also occur if you're redirecting the http-01 challenge from http to https. The .well-known/acme-challenge directory needs to be accessible via http on port 80.
Related videos on Youtube
Tom Lord
Full-stack web developer, primarily using Ruby On Rails and associated technologies. I have worked in a variety of roles over the past ~6 years - sometimes as a "solo" developer, or in a small team; and more recently within larger technical organisations. I primarily work on Rails APIs - but have a solid exposure to development across the full web development stack. At one time or another, I have been in charge of: VM configuration; NGINX settings (including SSL certificate management); email delivery management; AWS administration; Jenkins/continuous integration and delivery configuration; and plenty of unit testing (TDD when possible). I've also had plenty of exposure to front-end development - such as: (to an extent) application layout/design; CSS; and Javascript/JQuery/CoffeeScript/etc. More recently, I've helped develop larger SPAs using JS Frameworks such as EmberJS; and have started to use Elm in daily workflow. ... But Ruby is what I enjoy working on most. Especially "Ruby Off Rails", where the pure language is really elegant to work with.
Updated on September 18, 2022Comments
-
Tom Lord over 1 year
I am trying to install
LetsEncrypt
on my server (which I have root SSH access to), forstaging.dnslaude.com
- which is a publicly accessible domain, pointing to213.212.81.89
.The server is running
ubuntu 16.04
, and annginx
web-server. Below is thenginx
config:server { listen 80; server_name staging.dnslaude.com; root /path/to/webroot; location ^~ /.well-known/acme-challenge/ { try_files $uri $uri/ =404; } rewrite ^(.*) https://$host$1 permanent; } server { listen 443; ssl on; ssl_certificate /path/to/self/signed/certificate.crt; ssl_certificate_key /path/to/key.key; server_name staging.dnslaude.com; root /path/to/webroot; # .... location ^~ /.well-known/acme-challenge/ { try_files $uri $uri/ =404; } }
You can see that the
nginx
config appears to work, as I have manually placed a file in theacme-challenge
folder here.However, when I run the command:
letsencrypt certonly --webroot -w /path/to/webroot -d staging.dnslaude.com
It returns the following error:
Failed authorization procedure. staging.dnslaude.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to staging.dnslaude.com
IMPORTANT NOTES: - The following errors were reported by the server:
Domain: staging.dnslaude.com Type: connection Detail: Could not connect to staging.dnslaude.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.I followed the basic setup guide outlined here, and have tried all sorts of configuration variations, such as those suggested here. However, I cannot get past the above error - and cannot see anything in a log file to indicate the cause.
Any suggestions?
-
Tom Lord over 7 yearsAhhhhh... OK, I realise what happened now. The server is part of a firewall policy that only white-lists certain IPs, such as the internal office's IP. So from my perspective, the server appeared to be working fine, but LetsEncrypt were obviously unable to get through the firewall to validate the host. (I do not have access to the firewall configuration, so was oblivious to this...)
-
Tom Lord over 7 yearsMoral of the story, if anyone else lands here with the same issue: Try running
nmap
from a server outside your local network, to see if it's still visible. -
BE77Y over 7 yearsAbsolutely. Easy mistake to make, but a fairly big one! Glad I could point you in the right direction.
-
Lenne over 7 yearsIf you don't want/can't nmap from outside, just use isup.me to check if port 80 is answering or not.