ACME Challenge fails - Connection Refused

Help
1

I'm having a sequence of two situations that I had not encountered in N previous setups. I hope you can provide a hint where to look for.

First comes this:
Unable to read ssl_module file; not disabling session tickets.
Which looks important as ssl_module is required for https operations, but not to produce the next error:
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: mail.idt.mx
Type: connection
Detail: 200.23.130.34: Fetching http://mail.idt.mx/.well-known/acme-challenge/8pDwpZJTrhsgejGVPJX7gTspBAHXWZvsest5jmoFpjg: Connection refused

My web server and OS are:

root@mail:~ # apachectl -v
Server version: Apache/2.4.57 (FreeBSD)
Server built: unknown
root@mail:~ # uname -a
FreeBSD mail.idt.mx 13.2-RELEASE FreeBSD 13.2-RELEASE releng/13.2-n254617-525ecfdad597 GENERIC amd64
root@mail:~ # certbot --version
certbot 2.6.0

CODE:
root@mail:~ # curl -i http://mail.idt.mx
HTTP/1.1 200 OK
Date: Mon, 07 Aug 2023 14:32:01 GMT
Server: Apache
Last-Modified: Sat, 05 Aug 2023 21:20:34 GMT
ETag: "2d-60233957a4eda"
Accept-Ranges: bytes
Content-Length: 45
Content-Type: text/html

It works!

root@mail:~ # certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unable to read ssl_module file; not disabling session tickets.

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.

1: mail.idt.mx

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for mail.idt.mx

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: mail.idt.mx
Type: connection
Detail: 200.23.130.34: Fetching http://mail.idt.mx/.well-known/acme-challenge/8pDwpZJTrhsgejGVPJX7gTspBAHXWZvsest5jmoFpjg: Connection refused

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).

Unable to restart apache using ['apachectl', 'graceful']
Encountered exception during recovery: certbot.errors.MisconfigurationError: Error while running apachectl graceful.
apache24 not running? (check /var/run/httpd.pid).
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@mail:~ #

...and apache crashes or doesn't come back up.

2

That look like you are accessing it from itself:

You need to test access to it from the Internet.

3 Likes
3

That said, I'm able to access it from the Internet...
So, you may have some sort of Geo-Location blocking going on.

3 Likes
4

Looked it up in iplocation.net and got fairly consistent reports:

CODE: (sorry for the conversion of html into text)

Geolocation data from IP2Location (Product: DB6, 2023-8-1)

IP Address: 200.23.130.34

Country: Mexico

Region: Tamaulipas

City: Tampico

ISP: Sistemas Aplicados de la C.P. S.A. de C.V.

Organization: Not available

Latitude: 22.2167

Longitude: -97.8500

Geolocation data from ipinfo.io (Product: API, real-time)

IP Address: 200.23.130.34

Country: Mexico

Region: Tamaulipas

City: Tampico

ISP: INBTEL SA DE CV

Organization: Sistemas Aplicados de la C.P., S.A. de C.V. (sistemasaplicados.com.mx)

Latitude: 22.3263

Longitude: -97.8864

Geolocation data from DB-IP (Product: API, real-time )

IP Address: 200.23.130.34

Country: Mexico

Region: Tamaulipas

City: Tampico (México)

ISP: Sistemas Aplicados de la C.P

Organization: Sistemas Aplicados de la C.P., S.A. de C.V

Latitude: 22.3021

Longitude: -97.8805

Geolocation data from IPregistry.co (Product: API, real-time)

IP Address: 200.23.130.34

Country: Mexico

Region: Tamaulipas

City: Tampico

ISP: INBTEL SA DE CV

Organization: Sistemas Aplicados De La C.P., S.A. De C.V.

Latitude: 22.21663

Longitude: -97.84994

Geolocation data from IPGeolocation.io (Product: API, real-time)

IP Address: 200.23.130.34

Country: Mexico

Region: Tamaulipas

City: Tampico

ISP: Sistemas Aplicados de la C.P., S.A. de C.V.

Organization: Not available

Latitude: 22.30247

Longitude: -97.88074

Geolocation data from IPapi.co (Product: API, real-time)

IP Address: 200.23.130.34

Country: Mexico

Region: Tamaulipas

City: Tampico

ISP: Not available

Organization: Not available

Latitude: 22.2786

Longitude: -97.9043

5

I ran a manual certificate request and was successful. Alas, no autorenewal will happen and I have the odd sufix '-0001' for the location of my certificates in /usr/local/etc/letsencrypt/live/mail.idt.mx-0001
I'd rather have the standard autorenewal capability, thogh.

CODE:

certbot certonly --manual --preferred-challenges=http-01

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): mail.idt.mx
Requesting a certificate for mail.idt.mx

Successfully received certificate.
Certificate is saved at: /usr/local/etc/letsencrypt/live/mail.idt.mx-0001/fullchain.pem
Key is saved at: /usr/local/etc/letsencrypt/live/mail.idt.mx-0001/privkey.pem
This certificate expires on 2023-11-05.
These files will be updated when the certificate renews.

NEXT STEPS:

  • This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

If you like Certbot, please consider supporting our work by:

6

You got at least 4 production certs today and one from staging (below).

I am not sure what that means but it is not what I expected to see given the info posted.

What does this do?

apachectl graceful

And what does this show?

certbot certificates

image
image1881×756 133 KB

3 Likes
7

Mmm... I gess there's a bug when --apache is specified. Those certificates did not arrive nor were installed in my system. I was not aware of the situation you mention. Sorry.
My certificate is working now after a couple of requests today.
Thanks for your support.

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.