Letsencrypt Part Deux: Failed to connect to host for DVSNI challenge.

SSL Certficate Nerdery
All that work just to get a green lock!

I once worked at a job whose firewall was so idiotic, it did not allow access to blogs. Since 40% of blog entries are technical, I had to use my phone to do an end run around said idiotic firewall to do my job. I used that one blog post to make jQuery work with XUL (I know right!?) So it’s time to pay it forward.

I managed to get my secure certs from Let’s Encrypt renewed.  I ran:

letsencrypt-auto -renew

and got this error message (excerpted for brevity):

 Failed to connect to host for DVSNI challenge.

It turned out that an earlier futzing with the SSL stuff in ports.conf, I had changed away from the default entry, which is:

Listen 443

Putting that back to “Listen 443” worked. Apparently DVSNI (Domain Validation with Server Name Indication) is a way to prove you own the server.

I found a lot of solutions for folks on AWS and Cloudflare involving jiggering IP addresses and renewing the Google DNS cache, but I have a VPS from Rackspace so that wasn’t it for me.

I thought that having Apache 2.4.7 (because I’m on Ubuntu 14.04 LTS) would causes issues, but that turned out to not be the case, even though the dry-run only mentioned fullchain.pem, which will requires Apache 2.4.8 to work. The renew option also generates chain.pem and cert.pem as separate files. fullchain.pem is just those two files tacked together.

Of course the dry run did NOT show the DVSNI issue. I’m going to check back in a while and see if my automated cron job actually works now that I’ve done it manually.