Certbot failed to authenticate some domains: connection refused

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: co2balanceserver.com

I ran this command: A command from kobo-install

It produced this output:

My web server is (include version): I'm using a VPS with 8GB RAM, 160GB Storage

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: OVHCloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): snap install certbot # version 2.9.0, or
apt install certbot # version 0.40.0-1ubuntu0.1

I'm getting this error:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:

Which then follows up with:

Domain: ee.co2balanceserver.com
Type: connection
Detail: 198.244.188.76: Fetching http://ee.co2balanceserver.com/.well-known/acme-challenge/7tTG7j0yl-5MYO6dWsQ4vwB293AdxFmOW_jt_sMXqQk: Connection refused

Domain: kc.co2balanceserver.com
Type: connection
Detail: 198.244.188.76: Fetching http://kc.co2balanceserver.com/.well-known/acme-challenge/zoSsnbtGw0BNbgnWcxIFnbP4S2fqztN-tHsHh_9_LR8: Connection refused

Domain: kf.co2balanceserver.com
Type: connection
Detail: 198.244.188.76: Fetching http://kf.co2balanceserver.com/.well-known/acme-challenge/_sQtDQfEIeqD5QagWQ6gVtXeRylxWSiona-Sv6Ywkz8: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

I'm very new to this, can anyone offer any advice?

Thanks in advance!

2

Hi @KieranMS, and welcome to the LE community forum :slight_smile:

"Connection refused" generally means there is a firewall preventing LE from reaching your server via HTTP.

Is the site reachable from the whole Internet via HTTP?
I would have to say "NO":

curl -Ii http://kc.co2balanceserver.com/.well-known/acme-challenge/Test_File-1234
curl: (56) Recv failure: Connection reset by peer

Is that the correct IP address?
What shows?:

curl -4 ifconfig.me

6 Likes
3

Firstly, thanks for the reply, I'm very new to all of this and just trying to wrap my head around it!

I don't believe there is a firewall set up on the VPS

and curl -4 ifconfig.me returns:

ubuntu@vps-6f095bcb:~$ curl -4 ifconfig.me

198.244.188.76ubuntu@vps-6f095bcb:~$

4

So, the IP is correct.
Now, you need to open the firewall [or whatever is blocking].

4 Likes
5

The firewall has port 80 open and unblocked

6

This is what I see presently.

$ nmap -Pn -p80,443 kc.co2balanceserver.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-29 00:29 UTC
Nmap scan report for kc.co2balanceserver.com (198.244.188.76)
Host is up (0.15s latency).
Other addresses for kc.co2balanceserver.com (not scanned): 2001:41d0:801:2000::55bd
rDNS record for 198.244.188.76: vps-6f095bcb.vps.ovh.net

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp closed https

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds
3 Likes
7

I'm using OVHCloud for my VPS and as far as they say it's all open, do you have any advice on how to open it?

Thanks!

1 Like
8

Here is the ufw status

root@vps-6f095bcb:~# ufw status
Status: active

To Action From

80/tcp ALLOW Anywhere
80 ALLOW Anywhere
443 ALLOW Anywhere
22/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)

9

Your root domain name has only an ipv4 address but at least your ee subdomain has both ipv4 and ipv6. Did you check connectivity for both? Because this test site says connections are refused

4 Likes
10

I've amended the DNS to add an ipv6 address but the issue is still persisting

11

Would you show please the output of the

ip -6 address show scope global

command?

2 Likes
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.