Certbot renew failed 400 connection refused

I am unable to renew my certs and its troubling for this renewal alone. Any help is greatly appreciated.

My domain is: www.roomieads.com

I ran this command: certbot renew

It produced this output:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.roomieads.com
Type: connection
Detail: 149.28.126.186: Fetching http://www.roomieads.com/.well-known/acme-challenge/Sdn2p66tOgASS2QtLLCN5NMtcfbYDh1LEbrU94jtINg: Connection refused

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.37 (centos)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.30.0

Welcome to the community @patri44578

It looks to me like a firewall that is blocking the IP's of the Let's Encrypt Server(s).

I can reach your www.roomieads.com site just fine. And, the Let's Debug test site has two tests. The first connects and gets the expected 404 Not Found response. The second using the Let's Encrypt Staging system fails with the "connection refused" as you report with the production LE system.

You should check your firewalls. The Let's Debug test site is helpful in these cases

PS: Your apex domain roomieads.com will also be affected but it fails earlier due to a faulty redirect. The Let's Debug site helps show that too.

3 Likes

Now it looks good. I am still getting this error:

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: www.roomieads.com
Type: unauthorized
Detail: 149.28.126.186: Invalid response from http://www.roomieads.com/.well-known/acme-challenge/tvclWGJZb3dg6mnc4QrVGklxKgTcQDCFdUTq6Ed7fOo: 403

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2022-09-11 23:17:02,816:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

I see your (partly) successful Let's Debug test but that's not what is happening now. I still get the "connection refused" from the Let's Encrypt Staging test and now the faulty redirect that I noted for your apex domain for the first test connect.

3 Likes

I have removed the redirect now to https and allowed 80 port flow through and still getting connection refused.

Please show the output of:
apachectl -t -D DUMP_VHOSTS

3 Likes

Here is the complete log: let me know if you find any.

2022-09-12 04:45:48,257:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-09-12 04:45:48,548:DEBUG:certbot._internal.main:certbot version: 1.30.0
2022-09-12 04:45:48,549:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2344/bin/certbot
2022-09-12 04:45:48,549:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2022-09-12 04:45:48,549:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-09-12 04:45:48,574:DEBUG:certbot._internal.log:Root logging level set at 30
2022-09-12 04:45:48,575:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2022-09-12 04:45:48,693:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.37
2022-09-12 04:45:48,946:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#nginx): Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.
Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 160, in prepare
    self._initialized.prepare()
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot_nginx/_internal/configurator.py", line 194, in prepare
    raise errors.NoInstallationError(
certbot.errors.NoInstallationError: Could not find a usable 'nginx' binary. Ensure nginx exists, the binary is executable, and your PATH is set correctly.
2022-09-12 04:45:48,947:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f1c704bd4f0>
Prep: True
2022-09-12 04:45:48,947:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f1c704bd4f0> and installer <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7f1c704bd4f0>
2022-09-12 04:45:48,947:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2022-09-12 04:45:48,997:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/73861100', new_authzr_uri=None, terms_of_service=None), 0b557b0891b3308ca88864bd500fba31, Meta(creation_dt=datetime.datetime(2019, 12, 15, 20, 38, 18, tzinfo=<UTC>), creation_host='dev.don-ads.com', register_to_eff=None))>
2022-09-12 04:45:48,998:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-09-12 04:45:49,001:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-09-12 04:45:49,080:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 672
2022-09-12 04:45:49,081:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 12 Sep 2022 04:45:49 GMT
Content-Type: application/json
Content-Length: 672
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017-w-v1.3-notice.pdf",
    "website": "https://letsencrypt.org"
  },
  "n1h0RuzWwJg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2022-09-12 04:45:50,675:DEBUG:certbot._internal.display.obj:Notifying user: Requesting a certificate for www.roomieads.com
2022-09-12 04:45:50,831:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0234_key-certbot.pem
2022-09-12 04:45:50,837:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0234_csr-certbot.pem
2022-09-12 04:45:50,839:DEBUG:acme.client:Requesting fresh nonce
2022-09-12 04:45:50,839:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-09-12 04:45:50,865:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-09-12 04:45:50,865:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 12 Sep 2022 04:45:50 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102hfs26nRmSiyKH6qVivjiqw8Ol3GVUTFPbiYjN0gE-0E
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2022-09-12 04:45:50,866:DEBUG:acme.client:Storing nonce: 0102hfs26nRmSiyKH6qVivjiqw8Ol3GVUTFPbiYjN0gE-0E
2022-09-12 04:45:50,866:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "www.roomieads.com"\n    }\n  ]\n}'
2022-09-12 04:45:50,869:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzM4NjExMDAiLCAibm9uY2UiOiAiMDEwMmhmczI2blJtU2l5S0g2cVZpdmppcXc4T2wzR1ZVVEZQYmlZak4wZ0UtMEUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9",
  "signature": "lY2VeFnSfqRM9FpsFuClDFiImlEpH69blb5Vv-RRfk0UA14Y-dR3iPUTcDtV7jcuu5JzM6qHzICNcm5Z-1AkgekBljHM9HezOnUuYJlIJ0UXVoHgfpioyH-NilYHO56cMduv1KDSnnrmCsua5BR0EbEoTN1uuxd_syy4mOU2_eSAw39sS97GzVb7XFkp5dI22gO3pU3E6ipRHrjPSmyfazbtvybFVEgW27FYiUcieY37g_-_ZqfnkfJVlDpct6IJ952BAXHfB0PJ2u2irKKWYQKw51xlBvMgKz2lrO9hdm45x2lSl96h9ZumFmsP_8I7lXCOqpj8dxr_zl8rCX7CZA",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInd3dy5yb29taWVhZHMuY29tIgogICAgfQogIF0KfQ"
}
2022-09-12 04:45:51,134:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 341
2022-09-12 04:45:51,134:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 12 Sep 2022 04:45:51 GMT
Content-Type: application/json
Content-Length: 341
Connection: keep-alive
Boulder-Requester: 73861100
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/73861100/124716223007
Replay-Nonce: 0102tKwzVaf05K_mJsy_L0zWMZtdvLVj55mYnHXA_lvU18w
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2022-09-19T04:45:51Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "www.roomieads.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/152436279467"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/73861100/124716223007"
}
2022-09-12 04:45:51,134:DEBUG:acme.client:Storing nonce: 0102tKwzVaf05K_mJsy_L0zWMZtdvLVj55mYnHXA_lvU18w
2022-09-12 04:45:51,135:DEBUG:acme.client:JWS payload:
b''
2022-09-12 04:45:51,136:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/152436279467:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzM4NjExMDAiLCAibm9uY2UiOiAiMDEwMnRLd3pWYWYwNUtfbUpzeV9MMHpXTVp0ZHZMVmo1NW1ZbkhYQV9sdlUxOHciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE1MjQzNjI3OTQ2NyJ9",
  "signature": "pu-NSsffvuTUDfR8SPQMV_xP7c1mz-Qx0uFqgxhgCEJ3U6BbKlNWgnXnwZNdKPC4-5iXHP35Xxj9lFIb2kUwDKbEJhgoL4ANPQEAJpidl-2zOaYBlQTbUzptjBsUHZTJGHWfjtrjs9JoHazU6iDw9eHhnUvJRkMPUVnEoCKBEwQGahPbmBBcmACdvdSCcPu7ay1uuBXVuPwTM-lTtGzNE8G-52t9hXgyXfouQ8wHS5qJgbWpFhSQ70lp-On-62-XE2z2l2pXPv39qWKHdxesmX0DzfYsKxCRwLyxwbcQbiCaoSs9PMQGeut6WcFt7eq1JEyAJ0i8bexeTXLkLX4Zsg",
  "payload": ""
}
2022-09-12 04:45:51,192:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/152436279467 HTTP/1.1" 200 801
2022-09-12 04:45:51,192:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 12 Sep 2022 04:45:51 GMT
Content-Type: application/json
Content-Length: 801
Connection: keep-alive
Boulder-Requester: 73861100
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102RJwkfsHFumgYEBl9Npjvt862ns1vtmGmcB_grvlsb2U
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.roomieads.com"
  },
  "status": "pending",
  "expires": "2022-09-19T04:45:51Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/152436279467/qdejcQ",
      "token": "Tb0jcOmehSJcNJJkpo2RAWZB7j3H9HyCSFMswj5w2UM"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/152436279467/kTrSzg",
      "token": "Tb0jcOmehSJcNJJkpo2RAWZB7j3H9HyCSFMswj5w2UM"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/152436279467/yHBHmg",
      "token": "Tb0jcOmehSJcNJJkpo2RAWZB7j3H9HyCSFMswj5w2UM"
    }
  ]
}
2022-09-12 04:45:51,192:DEBUG:acme.client:Storing nonce: 0102RJwkfsHFumgYEBl9Npjvt862ns1vtmGmcB_grvlsb2U
2022-09-12 04:45:51,193:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-09-12 04:45:51,193:INFO:certbot._internal.auth_handler:http-01 challenge for www.roomieads.com
2022-09-12 04:45:51,198:DEBUG:certbot_apache._internal.http_01:Adding a temporary challenge validation Include for name: www.roomieads.com in: /etc/httpd/conf.d/www.roomieads.com.conf
2022-09-12 04:45:51,198:DEBUG:certbot_apache._internal.http_01:writing a pre config file with text:
         RewriteEngine on
        RewriteRule ^/\.well-known/acme-challenge/([A-Za-z0-9-_=]+)$ /var/lib/letsencrypt/http_challenges/$1 [END]
    
2022-09-12 04:45:51,198:DEBUG:certbot_apache._internal.http_01:writing a post config file with text:
         <Directory /var/lib/letsencrypt/http_challenges>
            Require all granted
        </Directory>
        <Location /.well-known/acme-challenge>
            Require all granted
        </Location>
    
2022-09-12 04:45:51,216:DEBUG:certbot.reverter:Creating backup of /etc/httpd/conf.d/www.roomieads.com.conf
2022-09-12 04:45:54,386:DEBUG:acme.client:JWS payload:
b'{}'
2022-09-12 04:45:54,388:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/152436279467/qdejcQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzM4NjExMDAiLCAibm9uY2UiOiAiMDEwMlJKd2tmc0hGdW1nWUVCbDlOcGp2dDg2Mm5zMXZ0bUdtY0JfZ3J2bHNiMlUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzE1MjQzNjI3OTQ2Ny9xZGVqY1EifQ",
  "signature": "p4wAu9Up-b_NdGWUfcG-V2f-SRFkKZ-vcEdo3AODGrZNjhfnFnJidNlfCyqI7TJqQEV7S7Q1WwRVj5m_5JUY-3I9sZ5XYz8q7M7TIMEVLYa224x1SjW8BsiQFtAcD78pSAJKUXpG68WuuzGrs06xcyUvGunYOVmWrHQsRROhkLV4Z7_Xg-CMIgdg3aOqjEKPmd1yaROj9vmhpNrwP53haSAf5Z4nVnI8uuZHwV2FXIiDZHjqv0bvyU9nmgxz9BTC4f9HrtZFCuYTqnVhBFt0_-6qNW8qIy6aVXFzQfuZMw9K84awaHAhYD0hTJEOys7_N2nTG0dLAk5V6zgi558jRw",
  "payload": "e30"
}
2022-09-12 04:45:54,448:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/152436279467/qdejcQ HTTP/1.1" 200 187
2022-09-12 04:45:54,449:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 12 Sep 2022 04:45:54 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 73861100
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/152436279467>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/152436279467/qdejcQ
Replay-Nonce: 0102PLTyF5xMwFdrdTj-Vw9nvvMK2uXumwpVX3SfQ87rUJk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/152436279467/qdejcQ",
  "token": "Tb0jcOmehSJcNJJkpo2RAWZB7j3H9HyCSFMswj5w2UM"
}
2022-09-12 04:45:54,449:DEBUG:acme.client:Storing nonce: 0102PLTyF5xMwFdrdTj-Vw9nvvMK2uXumwpVX3SfQ87rUJk
2022-09-12 04:45:54,450:INFO:certbot._internal.auth_handler:Waiting for verification...
2022-09-12 04:45:55,451:DEBUG:acme.client:JWS payload:
b''
2022-09-12 04:45:55,453:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/152436279467:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzM4NjExMDAiLCAibm9uY2UiOiAiMDEwMlBMVHlGNXhNd0ZkcmRUai1WdzludnZNSzJ1WHVtd3BWWDNTZlE4N3JVSmsiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzE1MjQzNjI3OTQ2NyJ9",
  "signature": "bpcp_7ePxl22op08KxnHcGGO9usdhFFnVOXf74cpd2BPE3ZZgKrS5-1jAcYmH8x_ZOiprK8iP1WEum9VgM-tK6nkevtvMptvlbf_z6Hs5K9xFoSD80GwIM-gS9Gmdbk_ohdyZxBXhtBwh5JP_Hm-O5CM2u3gXrIYPsjHqVxZTgGkGOfUgOPBrjC2voWbVL9-HQDdVpy9mHi-JYwAD7xSXUz8CWI6TRLo0XviEMpzaRyM5fqKhPzuz1ZzDORFb9IAN5hDaqpv2subeUC_9OkzrhGifJQ7iC3Hc2zFAkTEl2WqXhey6u7W8YWE7TVbqHeu8cV1BRdjXYXyOha7FzCPqg",
  "payload": ""
}
2022-09-12 04:45:55,508:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/152436279467 HTTP/1.1" 200 1039
2022-09-12 04:45:55,509:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 12 Sep 2022 04:45:55 GMT
Content-Type: application/json
Content-Length: 1039
Connection: keep-alive
Boulder-Requester: 73861100
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102m5Km4_votgjMeSyR7Fv-8uybVHzn-F-ImvL2mpc-wk4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "www.roomieads.com"
  },
  "status": "invalid",
  "expires": "2022-09-19T04:45:51Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "149.28.126.186: Fetching http://www.roomieads.com/.well-known/acme-challenge/Tb0jcOmehSJcNJJkpo2RAWZB7j3H9HyCSFMswj5w2UM: Connection refused",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/152436279467/qdejcQ",
      "token": "Tb0jcOmehSJcNJJkpo2RAWZB7j3H9HyCSFMswj5w2UM",
      "validationRecord": [
        {
          "url": "http://www.roomieads.com/.well-known/acme-challenge/Tb0jcOmehSJcNJJkpo2RAWZB7j3H9HyCSFMswj5w2UM",
          "hostname": "www.roomieads.com",
          "port": "80",
          "addressesResolved": [
            "149.28.126.186"
          ],
          "addressUsed": "149.28.126.186"
        }
      ],
      "validated": "2022-09-12T04:45:54Z"
    }
  ]
}
2022-09-12 04:45:55,509:DEBUG:acme.client:Storing nonce: 0102m5Km4_votgjMeSyR7Fv-8uybVHzn-F-ImvL2mpc-wk4
2022-09-12 04:45:55,510:INFO:certbot._internal.auth_handler:Challenge failed for domain www.roomieads.com
2022-09-12 04:45:55,510:INFO:certbot._internal.auth_handler:http-01 challenge for www.roomieads.com
2022-09-12 04:45:55,510:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: www.roomieads.com
  Type:   connection
  Detail: 149.28.126.186: Fetching http://www.roomieads.com/.well-known/acme-challenge/Tb0jcOmehSJcNJJkpo2RAWZB7j3H9HyCSFMswj5w2UM: Connection refused

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

2022-09-12 04:45:55,511:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-09-12 04:45:55,511:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-09-12 04:45:55,511:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-09-12 04:45:55,770:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/2344/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/main.py", line 1441, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/client.py", line 530, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/client.py", line 442, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 106, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/var/lib/snapd/snap/certbot/2344/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 206, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-09-12 04:45:55,772:ERROR:certbot._internal.log:Some challenges have failed.

The LE challenge requests was blocked:

Detail: 149.28.126.186: Fetching http://www.roomieads.com/.well-known/acme-challenge/Tb0jcOmehSJcNJJkpo2RAWZB7j3H9HyCSFMswj5w2UM: Connection refused

My similar request, was allowed:

curl -Ii http://www.roomieads.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Date: Mon, 12 Sep 2022 04:57:54 GMT
Server: Apache/2.4.37 (centos) OpenSSL/1.1.1g
Access-Control-Allow-Headers: x-requested-with, Content-Type, origin, authorization, accept, client-security-token
Access-Control-Allow-Methods: POST, GET
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' https:; script-src 'self' https: 'unsafe-eval' 'unsafe-inline'; connect-src 'self' https:; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' https:;base-uri 'self';form-action 'self';font-src 'self' https: data:; frame-src 'self' https://www.youtube.com/ https://app.hubspot.com/ https://js.stripe.com/ https://googleads.g.doubleclick.net/ https://tpc.googlesyndication.com/
Feature-Policy: microphone 'none'; payment 'none'; sync-xhr 'self' https:
Access-Control-Expose-Headers: Content-Security-Policy, Location
Access-Control-Max-Age: 600
Content-Type: text/html; charset=iso-8859-1

Are there any IP block lists enabled?
Is there any Geo-location/fencing or DoS protection enabled?

2 Likes

Fail2ban is enabled

Only US and India IPs allowed

It looks like fail2ban (or maybe another firewall) is still affecting requests. I can see your site fine from my US server but the Let's Encrypt Server(s) still fail to connect with "connection refused".

Let's Encrypt verifies from multiple locations and these IP addresses change regularly. It would be best if you could allow requests from any IP with a URI that contains /.well-known/acme-challenge

3 Likes

You could permit all IPs to port 80, handle the ACME challenge requests there, and forward all other requests to HTTPS [where you can block whatever IPs you like].

3 Likes

I was able to get the certificates. Thank you.

2 Likes