Certbot, Nginx, Centos7 : connection refused

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

www.ricercatoritaliani.ch

I ran this command:

It produced this output:

My web server is (include version):

nginx version: nginx/1.16.1

The operating system my web server runs on is (include version):

Centos7

My hosting provider, if applicable, is:

self

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.13.0

Hello!

I'm trying to set HTTPS for my site, and I have followed the instructions I have found linked from the Let'sEncrypt home page:

I have installed snapd, certbot and created the certificates, and all steps were successful. But then, the HTTPS access to my test site always returns a "connection refused" error.

Here below, you can find all the outputs from my attempts and tests.

Thanks a lot for your kind help, and I wish you a very good day and a nice Easter weekend!

Regards,
-- Riccardo.

certificates

# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: ricercatoritaliani.ch
2: www.ricercatoritaliani.ch
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Requesting a certificate for ricercatoritaliani.ch and www.ricercatoritaliani.ch
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/nginx.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/nginx.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://ricercatoritaliani.ch and
https://www.ricercatoritaliani.ch
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ricercatoritaliani.ch/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ricercatoritaliani.ch/privkey.pem
   Your certificate will expire on 2021-07-01. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

renewal test

# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ricercatoritaliani.ch.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for ricercatoritaliani.ch and www.ricercatoritaliani.ch
Performing the following challenges:
http-01 challenge for ricercatoritaliani.ch
http-01 challenge for www.ricercatoritaliani.ch
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/ricercatoritaliani.ch/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/ricercatoritaliani.ch/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

cleared nginx cache

# cd /var/run/nginx-cache/
# rm -rf ./*

restarted nginx

# sudo systemctl stop nginx
# sudo systemctl start nginx

80: OK - 443: "connection refused" error

If I access my test site through HTTPS in web browser, I get a "connection refused" error.

If I disable 443 and enable 80, and I access my test site through a web browser on HTTP, everything works fine.

failed test on SSLabs

https://www.ssllabs.com/ssltest/analyze.html?d=www.ricercatoritaliani.ch&latest 

SSlabs returns: Assessment failed: Unable to connect to the server

Curl tests

If I test curl from my server, the one I'm trying to fix, all seems OK:

# curl --verbose https://www.ricercatoritaliani.ch

* About to connect() to www.ricercatoritaliani.ch port 443 (#0)

* Trying 31.14.131.121...

* Connected to www.ricercatoritaliani.ch (31.14.131.121) port 443 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* CAfile: /etc/pki/tls/certs/ca-bundle.crt

CApath: none

* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

* Server certificate:

* subject: CN=ricercatoritaliani.ch

* start date: Apr 02 08:21:19 2021 GMT

* expire date: Jul 01 08:21:19 2021 GMT

* common name: ricercatoritaliani.ch

* issuer: CN=R3,O=Let's Encrypt,C=US

> GET / HTTP/1.1

> User-Agent: curl/7.29.0

> Host: www.ricercatoritaliani.ch

> Accept: */*

>

< HTTP/1.1 200 OK

< Server: nginx/1.16.1

< Date: Fri, 02 Apr 2021 09:26:19 GMT

< Content-Type: text/html; charset=UTF-8

< Transfer-Encoding: chunked

< Connection: keep-alive

< Vary: Accept-Encoding

< X-Powered-By: PHP/7.3.14

<

<!doctype html>

<html>

<head>

<title>This is the title of the webpage!</title>

</head>

<body>

<p>This is an example paragraph. Anything in the <strong>body</strong> tag will appear on the page, just like this <strong>p</strong> tag and its contents.</p>

</body>

</html>

* Connection #0 to host www.ricercatoritaliani.ch left intact

However, if I use curl from another machine, then the connection is refused:

curl --verbose https://www.ricercatoritaliani.ch

* Rebuilt URL to: https://www.ricercatoritaliani.ch/

* Trying 31.14.131.121...

* TCP_NODELAY set

* Connection failed

* connect to 31.14.131.121 port 443 failed: Connection refused

* Failed to connect to www.ricercatoritaliani.ch port 443: Connection refused

* Closing connection 0

curl: (7) Failed to connect to www.ricercatoritaliani.ch port 443: Connection refused

While using curl on HTTP, I see the redirection automatically set by Certbot (but then https does not work):

curl --verbose http://www.ricercatoritaliani.ch

* Rebuilt URL to: http://www.ricercatoritaliani.ch/

* Trying 31.14.131.121...

* TCP_NODELAY set

* Connected to www.ricercatoritaliani.ch (31.14.131.121) port 80 (#0)

> GET / HTTP/1.1

> Host: www.ricercatoritaliani.ch

> User-Agent: curl/7.54.0

> Accept: */*

>

< HTTP/1.1 301 Moved Permanently

< Server: nginx/1.16.1

< Date: Fri, 02 Apr 2021 09:28:37 GMT

< Content-Type: text/html

< Content-Length: 169

< Connection: keep-alive

< Location: https://www.ricercatoritaliani.ch/

<

<html>

<head><title>301 Moved Permanently</title></head>

<body>

<center><h1>301 Moved Permanently</h1></center>

<hr><center>nginx/1.16.1</center>

</body>

</html>

* Connection #0 to host www.ricercatoritaliani.ch left intact

Nginx conf --modified by Certbot--

This is the nginx conf file automatically modified by Certbot:

 For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:100m inactive=60m;
    fastcgi_cache_key "$scheme$request_method$host$request_uri";

    server {
        root /var/www/html;
        index index.php;
        server_name    ricercatoritaliani.ch www.ricercatoritaliani.ch;
        #server_name    www.ricercatoritaliani.ch;

        ### enable gzip
        gzip on;
        gzip_disable "MSIE [1-6]\.(?!.*SV1)";
        gzip_vary on;
        gzip_types text/plain text/css text/javascript image/svg+xml image/x-icon application/javascript application/x-javascript;

        # log files
        access_log /var/log/nginx/wordpress.access.log;
        error_log /var/log/nginx/wordpress.error.log;

        set $skip_cache 0;
                # POST requests and URLs with a query string should always go to PHP
        if ($request_method = POST) {
                set $skip_cache 1;
        }

        if ($query_string != "") {
                set $skip_cache 1;
        }

        # Don't cache URIs containing the following segments
        if ($request_uri ~* "/wp-admin/|/xmlrpc.php|wp-.*.php|/feed/|index.php|sitemap(_index)?.xml") {
                set $skip_cache 1;
        }

        # Don't use the cache for logged-in users or recent commenters
        if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
                set $skip_cache 1;
        }

        location / {
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ .php$ {
                #try_files $uri /index.php;
                try_files $uri =404;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_cache_bypass $skip_cache;
                fastcgi_no_cache $skip_cache;
                fastcgi_cache WORDPRESS;
                fastcgi_cache_valid  60m;
        }

        location ~* ^.+.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
                access_log off;
                log_not_found off;
                expires max;
        }

        location = /robots.txt {
                access_log off;
                log_not_found off;
        }

        #location ~ /. {
        #       deny  all;
        #       access_log off;
        #       log_not_found off;
        #}


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/ricercatoritaliani.ch/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ricercatoritaliani.ch/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}


    server {
    if ($host = www.ricercatoritaliani.ch) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = ricercatoritaliani.ch) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        server_name    ricercatoritaliani.ch www.ricercatoritaliani.ch;

        listen 80;
    return 404; # managed by Certbot

}


}

Hi @ric-bianchi

so your https configuration is ok.

So you have

• a wrong router configuration (or / and)
• a blocking firewall

I see a timeout, not a connection refused.

Find that blocking instance and change it.

Thanks a lot for your help, @JuergenAuer !

Sorry, I see that error displayed on Chrome, so I assumed that was the relevant error

This site can’t be reachedwww.ricercatoritaliani.ch refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall

ERR_CONNECTION_REFUSED

I must admit I'm not very expert in setting servers; therefore, sorry for my naive questions. But I think I have all the relevant ports opened:

# netstat -anop | grep LISTEN | grep nginx
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      30875/nginx: master  off (0.00/0/0)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      30875/nginx: master  off (0.00/0/0)


# netstat -anop | grep LISTEN | grep ':443'
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      30875/nginx: master  off (0.00/0/0)

What else should I check?

Thanks again for your kind and prompt help, @JuergenAuer !!

It's your server / configuration, so you have to find that blocking instance.

If you see internal another error than my external timeout -> different configurations, that's not a problem, that's an indicator you should use.

You're right.

What I see through https://check-your-website.server-daten.de/?q=ricercatoritaliani.ch is this Fatal error:

https://www.ricercatoritaliani.ch/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

Fatal: Check of /.well-known/acme-challenge/random-filename has a timeout. Creating a Letsencrypt certificate via http-01 challenge can't work. You need a running webserver (http) and an open port 80. If it's a home server + ipv4, perhaps a correct port forwarding port 80 extern ⇒ working port intern is required. Port 80 / http can redirect to another domain port 80 or port 443, but not other ports. If it's a home server, perhaps your ISP blocks port 80. Then you may use the dns-01 challenge. Trouble creating a certificate? Use https://community.letsencrypt.org/ to ask.

But Certbot has set the redirect from 80 to 443, so that should work; is that correct?

Also, the comment from check-your-website above says Trouble creating a certificate?, but I have already created the certificates and they look correct. Should I infer something else from that message?

Thanks again for your help, @JuergenAuer !

P.S. Also, I don't find any .well-known/ folder on my system; shouldn't Certbot create one automatically?

On the instructions I followed {1}, there was no mention about the creation of that well-known/ folder. I'm a bit puzzled...

{1}: Certbot - Centosrhel7 Nginx

Please: That's completely unrelevant.

You have a certificate. Fix your firewall problem. If you have a redirect http -> https and a blocked https, that error is expected.

Same the "missing .well-known/".

Hi again,

OK, I have solved my problem. As you had correctly guessed, that was not related to Certbot and certificates at all. That was related to an error in the iptables configuration, the result was that port 443 was not accepted in IP4.

Thanks a lot again for your kind and prompt help, @JuergenAuer , which pointed me to the right direction!

Best regards,
-- Riccardo.

Now your https works with a http status 200.

What was the problem?

Ah, thanks. Yep, that's one thing.

Once again, thanks to you!!! As I have said, your suggestions and comments pointed me to the right direction!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.