#1
  1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2016
    Location
    Lakewood, WA
    Posts
    192
    Rep Power
    17

    Problem with Certbot / Let's Encrypt


    I've followed the steps to install Certbot on my CentOS server so as to obtain a Let's Encrypt cert, and when run it from the command line, I get this error:
    Code:
    Failed authorization procedure. www.----.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data, ----.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data
    
    IMPORTANT NOTES:
     - The following errors were reported by the server:
    
       Domain: www.----.net
       Type:   connection
       Detail: Error getting validation data
    
       Domain: ----.net
       Type:   connection
       Detail: Error getting validation data
    
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A record(s) for that domain
       contain(s) the right IP address. Additionally, please check that
       your computer has a publicly routable IP address and that no
       firewalls are preventing the server from communicating with the
       client. If you're using the webroot plugin, you should also verify
       that you are serving files from the webroot path you provided.
    I have verified that my "A" record is correct.

    Could there be an issue with my Apache conf file?
  2. #2
  3. Forgotten Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,212
    Rep Power
    9644
    Are you set on using Certbot or are you just trying to use it to deploy certificates? Do you have many sites to add them to or is doing it manually acceptable?

    If you want Certbot, what was the command you executed?
  4. #3
  5. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2016
    Location
    Lakewood, WA
    Posts
    192
    Rep Power
    17
    Originally Posted by requinix
    Are you set on using Certbot or are you just trying to use it to deploy certificates? Do you have many sites to add them to or is doing it manually acceptable?

    If you want Certbot, what was the command you executed?
    No, I'm not set on Certbot except Let's Encrypt recommends it because it can automate the installation - apparently Let's Encrypt certs have a 90 day life (!!!).

    I'm playing with it at the moment, but the 90-day life thing is a big down-side, unless installation of new certs is automated.

    (Of course I'm using sudo...)

    Certbot installation:

    1.) $ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

    2.) $ yum install certbot-apache

    3.) $ certbot --apache


    It's at this point the error message appears.

    [EDIT]

    What firewall issues is the error talking about? Perhaps I could look at iptables, but I'm not sure what to look for. I have fail2ban installed, but that wouldn't effect this I don't think, and of course ports 80, 22, 25 (though I don't run a mail server per se I get system mail), 3306 (I run my database on a different server).

    Speaking of iptables, it's my understanding that CentOS ships with firewalld enabled by default, and I've done nothing to change that. Is firewalld simply an interface to iptables? Or a replacement of iptables?

    Does Certbot need a specific port? If so the instructions don't say.
    Last edited by Arty Zifferelli; July 16th, 2017 at 04:01 PM.
  6. #4
  7. Wiser? Not exactly.
    Devshed God 2nd Plane (6000 - 6499 posts)

    Join Date
    May 2001
    Location
    Bonita Springs, FL
    Posts
    6,038
    Rep Power
    4101
    Originally Posted by Arty Zifferelli
    Does Certbot need a specific port? If so the instructions don't say.
    Yes, it runs over HTTPS which is port 443. This isn't certbot specific, it's what you need to enable if you want to serve your site using HTTPS at all, regardless of who provides your certificates.
    Recycle your old CD's



    If I helped you out, show some love with some reputation, or tip with Bitcoins to 1N645HfYf63UbcvxajLKiSKpYHAq2Zxud
  8. #5
  9. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2016
    Location
    Lakewood, WA
    Posts
    192
    Rep Power
    17
    Originally Posted by kicken
    Yes, it runs over HTTPS which is port 443. This isn't certbot specific, it's what you need to enable if you want to serve your site using HTTPS at all, regardless of who provides your certificates.
    Hah! Of course. How bone-headed of me.
  10. #6
  11. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2016
    Location
    Lakewood, WA
    Posts
    192
    Rep Power
    17

    Fixed. But what about Certbot?


    Originally Posted by Arty Zifferelli
    Hah! Of course. How bone-headed of me.
    Yes, that was it, I needed to open up that port with firewalld.

    The cert process was uneventful.

    Question: Do you not like Certbot? Is there a similar utility you like better?
  12. #7
  13. Forgotten Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,212
    Rep Power
    9644
    Me? If I had a lot of sites to create certs for then a tool would be nice, but otherwise nah: I'll already have the certs available and updating the server configuration is a matter of a handful of mostly copied-and-pasted lines to add. It's a one-time thing so doing it manually is faster than learning how to use some tool.

IMN logo majestic logo threadwatch logo seochat tools logo