Cert renewal fails - SOLVED Thank you for all the help

Crowbait · February 14, 2023, 3:48pm

I ran this command: /usr/lib/acme/acme.sh --home /etc/acme --renew -d greenthing.co.
uk --debug

It produced this output: greenthing.co.uk:Verify error:greenthing.co.uk:Verify error:212.159.109.130: Fetching http://greenthing.co.uk/.well-known/acme-challenge/JTaGG1-gjha-jKgLZMd-ZwBzGq12epSyuH674EvRYa0: Connection refused

My web server is (include version): nginx version: nginx/1.21.3 (x86_64-pc-linux-gnu)

The operating system my web server runs on is (include version): OpenWrt 22.03.0 r19685-512e76967f / LuCI openwrt-22.03 branch git-23.038.39289-18dde0c

The token is written to the correct place and is available externally at the address given so I do not understand the 'connection refused' error. Has anyone got any ideas of what is wrong?

Bruce5051 · February 14, 2023, 4:35pm

Hello @Crowbait, welcome to the Let's Encrypt community.

You can find more information on acme.sh here GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol and their issues are here Issues · acmesh-official/acme.sh · GitHub

You are using the HTTP-01 challenge which requires Port 80 to open an accessible.

Here is what nmap is showing, no Port 80. Best Practice - Keep Port 80 Open

$ nmap -Pn greenthing.co.uk
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-14 16:28 UTC
Nmap scan report for greenthing.co.uk (212.159.109.130)
Host is up (0.16s latency).
rDNS record for 212.159.109.130: oddsage.plus.com
Not shown: 996 closed ports
PORT    STATE    SERVICE
25/tcp  filtered smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 41.70 seconds

rg305 · February 14, 2023, 7:25pm

I don't see that.
All HTTP connections return:

curl -Ii http://greenthing.co.uk/
curl: (56) Recv failure: Connection reset by peer

Crowbait · February 14, 2023, 10:43pm

Hi when I said is available externally at the address given, I meant it literally. Requests to http://green thing.co.uk will be redirected to https://green thing.co.uk. Only requests to http://greenthing.co.uk/.well-known/acme-challenge/
are allowed on port 80.

Hence enter this in a browser to see the token

http://greenthing.co.uk/.well-known/acme-challenge/JTaGG1-gjha-jKgLZMd-ZwBzGq12epSyuH674EvRYa0

What is it I am missing?

MikeMcQ · February 14, 2023, 10:55pm

That the URL is not available from many places in the public Internet. My result:

curl http://greenthing.co.uk/.well-known/acme-challenge/JTaGG1-gjha-jKgLZMd-ZwBzGq12epSyuH674EvRYa0
curl: (7) Failed to connect to greenthing.co.uk port 80 after 121 ms: Connection refused

Can you try from a mobile phone with wifi off so you are using the carrier network?

If that works, do you have some sort of geographic based firewall?

Although, I did try from a London based host earlier and could not see your domain either so I don't think that is it.

Crowbait · February 14, 2023, 11:06pm

Hi. Thank you for the quick reply and heads up on your experience. I can browse the token on 4G and from my work pc. I haven't tried curl or wget but struggle to understand why the result may be different or why there should be any regional variation. I will do some external digging from work tomorrow.

MikeMcQ · February 14, 2023, 11:17pm

It wouldn't be diff unless you have a firewall that is checking User-Agent strings and blocking anything that doesn't look like a browser. As just one idea.

EDIT: I just tried using a browser from a test server on US East Coast and get same "refused" error so probably not user-agent related.

Bruce5051 · February 14, 2023, 11:32pm

Using this online tool https://check-host.net/ to check from around the world with an input of http://greenthing.co.uk/ returns Connection refused; Permanent link to this check report.

I get this with curl

$ curl -Ii http://greenthing.co.uk/
curl: (7) Failed to connect to greenthing.co.uk port 80 after 3434 ms: Connection refused

I get this with nmap -Pn

$ nmap -Pn greenthing.co.uk
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-02-14 15:27 PST
Nmap scan report for greenthing.co.uk (212.159.109.130)
Host is up (0.16s latency).
rDNS record for 212.159.109.130: oddsage.plus.com
Not shown: 996 closed ports
PORT    STATE    SERVICE
25/tcp  filtered smtp
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 40.37 seconds

system · March 16, 2023, 11:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.