Problem: Certbot returns a urn:ietf:params:acme:error:connection
-error when trying to install a certificate for subdomain rainloop.example.com
.
EDIT: As to be seen in the "EDIT" segment below there's a way more important problem, probably the cause of the Certbot failure.
What I´ve tried to solve this issue: I´ve been heavily researching on other people with the same problem, but can´t seem to find any useful information. I´ve looked into my DNS Records for my domain, but since setting up a certificate for my other two subdomains hasn´t been a problem, I´m not questioning this. I´ve also checked the permissions on the root folder of that subdomain and gone through my vhost config multiple times. At last I´ve even restarted my server, but nothing helped.
All Configurations: I´ll end this question by pasting all my configuration files and certbot logs here. Thanks for any answers in advance :)
VHOST CONFIGURATION
pfa.example.com (as example, this subdomain works)
server {
listen 80 http2;
listen [::]:80 http2;
server_name pfa.example.com;
return 301 https://pfa.example.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name pfa.example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/pfa.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pfa.example.com/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_dhparam /etc/letsencrypt/live/pfa.example.com/dh.pem;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/pfa.example.com/chain.pem;
resolver 8.8.8.8;
root /var/www/pfa/;
index index.php index.html index.htm;
add_header X-Frame-Options "SAMEORIGIN";
add_header x-xss-protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
}
rainloop.example.com (subdomain with failed ssl certificate):
server {
listen 80;
listen [::]:80;
server_name rainloop.example.com;
root /var/www/rainloop;
index index.php index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
}
I think it´s also important to point out my default vhost config, since I´ve modified it slightly:
server {
server_name _;
listen 80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
Certbot Output during installation:
> certbot --nginx -d rainloop.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for rainloop.example.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. rainloop.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://rainloop.example.com/.well-known/acme-challenge/9ivMyI4q3M98EDzr6Fco71Ih8_mZl1epApasB6nNa14: Error getting validation data
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: rainloop.example.com
Type: connection
Detail: Fetching
http://rainloop.example.com/.well-known/acme-challenge/9ivMyI4q3M98EDzr6Fco71Ih8_mZl1epApasB6nNa14:
Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Certbot log (located at /var/log/letsencrypt/letsencrypt.log
):
Too long to paste it here, have a look at it at my backup page.
Permissions on /var/www/rainloop/: (according to filezilla):
775 www-data:www-data
I´m using Debian 9 (Stretch) with NGINX 1.10.3, MariaDB 10.1.37 and PHP 7.2-FPM.
THANKS FOR ANY ADVICE :)
EDIT: When calling the page (example.com) on a other client than my computer which has cached the 301 redirect to https, it will download a random named file with strange, but same content every time instead of performing the intended redirect. Even when calling www.example.com or https://www.example.com it will download a document, only when calling https://www.example.com it will additionally display the content of /var/www/www.example.com/ as intended. Same goes for the pfa.example.com subdomain, which has an almost identical vhost configuration as www.example.com.