Certbot-auto reports connection refused

Please fill out the fields below so we can help you better.

My domain is: owneriq.net

I ran this command: /opt/letsencrypt/certbot-auto

It produced this output:

Failed authorization procedure. grafana1.dev.infra.nyj.inap.owneriq.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, grafana1.dev.infra.owneriq.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused

IMPORTANT NOTES:

My web server is (include version): Apache 2.2.15

The operating system my web server runs on is (include version): CentOS 6.7

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’ve set this up on several servers at this point, never ran into this issue before. Apache is running on port 80 and can be reached publically.

Hi @jruybal,

That restriction will last for an hour (counting from the first failed attempt, not the most recent one) and is meant to stop automated processes from repeatedly trying to issue certificates over and over again. You can test with --staging in the meantime or any time when you're not sure if issuance will work.

I find this failure kind of mysterious because I can connect to these web servers just fine. Is it possible that you have some kind of firewall or intrusion prevention system that selectively blacklists incoming connections from certain networks or locations?

Yeah that’s the confusing part. It’s an out of the box centos setup. I’ve done the following while debugging:

  • There’s a firewall up, but port 80 and 443 are wide open for this server. Same goes for iptables.
  • I’ve tested from two different external sources, both with curl and telnet on port 80.
  • I’ve disabled SELinux.
  • Made sure there’s nothing like denyhosts or fail2ban on the host.
  • I’ve double checked DNS records.

Our firewall is managed by our hosting provider so I’m talking with them to make sure it’s not getting stopped there. Is there an ip I could point them to?

It's not published and it's not guaranteed to remain constant (and I don't know what it is).

@cpu, can you do anything to check whether connectivity to this address is different from our data centers compared to from other networks?

Sure, I will follow-up with our operations team to see if they can do some tests from the data centres.

@jruybal We are not blocking that IP. We could connect successfully to port 80 and port 443 on your webserver. Can you post your vhost configuration?

@jruybal Could you try running Certbot again? It may be the problem was resolved since the last attempt.

A post was split to a new topic: Help getting a certificate

Hey Guys, looks like it working this time around.

Thanks for your help!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.