Certificate Challenge Failed, Connection Refused behind NGINX

I’m running a Proxmox instance, with a VM for pfSense, for my docker containers, and one for NGINX. The setup works perfectly on LAN, but I can’t seem to get a cert from certbot for the past few days. I’ve run the commands below, and have that output. My ports are forwarded on my router, and I’ve ensured that they’re accessible, unless I’m missing something else. If this isn’t enough information or clarification is needed, feel free to reply! Any help is welcome at this point.

My domain is: danielr.xyz

I ran this command: sudo certbot certonly --webroot -w /var/www/html -d danielr.xyz -d www.danielr.xyz (for testing purposes) --dry-run

It produced this output:

The following errors were reported by the server:
Domain: danielr.xyz
Type: connection
Detail: Fetching
http://danielr.xyz/.well-known/acme-challenge/1IZwOOt4hVVZJu_jE3MmULz4rIgRuvZ1z2RNlVZEsAo:
Connection refused

Same for the www. subdomain

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client.

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Myself

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.0

I get connection refused as well. It doesn’t seem like the server is accessible from outside your LAN/NAT.

Weird. At least I now know it’s on my end. I know this might not be the place to ask, but why would that port not be open? If it helps I have a Netgear Nighthawk router, and I’ve done port forwarding enough times to know the basics. I just checked with one of those port sites, and it says the ports are closed (I know that you have to have something running in order for it to be seen as open.) Are there any common troubleshooting techniques? I’ve looked at some Netgear forums over the past few days (had a hunch that it was the router) and all the answers were people who had specific cases where it didn’t work due to something else.

Well, “connection refused” is a hopeful error, because it means that you’ve probably misconfigured the port forward, rather than it being blocked/filtered entirely. That would result in a “connection timeout” (as happens when you try to connect to a non-forwarded port, like 81).

“Connection refused” suggests that the router tried to forward the connection, but the target host was not listening on port 80.

Maybe post a screenshot of the port forwarding interface.

Sure, here’s my page on the router:

image1637×438 14.6 KB

Looks good, and if you login to root@192.168.1.202 and run:

ss -tlnp | grep -E ":(80|443)\b"

?

Another possibility is making sure that you have re-assigned the router web admin port to something other than 80, if it’s that currently. That can sometimes cause confusing results with port forwarding.

Thanks so far. There is no response at all, sudo or without.

Reroute the router’s admin page? pfSense’s is rerouted to 8080

hmm, any other ideas?

Wait, where is nginx running? If you've port-forwarded 80 to the pfSense machine, that's where your webserver should be.

If it's somewhere else, that's where the portforward should go.

I’m sorry, I ran that command on the nginx server, not the pfSense one.

NGINX is in a Ubuntu VM separate from pfSense.

Is 192.168.1.202 pfSense or nginx?

pfSense. I have a NAT rule in pfSense to redirect it.

OK, got it.

If you ran that command on nginx and nothing came up, that would suggest that either nginx is not running or it’s not bound to 80.

Just to confirm the network connectivity bit, let’s try the Certbot standalone authenticator, that does not require a webserver:

sudo certbot certonly --standalone -d danielr.xyz --dry-run

- The dry run was successful. So that’s fine! Actually, it might not be running, it gave an error about the SSL cert.

If sudo nginx -t fails, you’d need to remove any references to the non-existent certs from its configuration, then restart nginx, then run something like sudo certbot --nginx -d example.com -d www.example.com.

I think I found a side issue, it’s now saying no A for 4t.danielr.xyz, check that a DNS record exists (4t is just a test app I have being served). Does this mean that I should add an A record in Namecheap?

I have an A + Dynamic one set up.

This happens even when I try with the normal domain, without the sub.

I apologize if these are stupid questions, this is my first time opening up a server to the internet, I was following this guide for information: dlford.io

You mean just with danielr.xyz? It should work just fine for that.

You can setup another CNAME in Namecheap for 4t.danielr.xyz, just like you did with the www. subdomain.

Yeah, I did it with just danielr.xyz and it still didn’t like that. I added the CNAME, I assume it’s the normal 30 minute wait time?

What was the error for the normal domain? It shouldn’t be the “no A record” one.

You don’t need to wait 30 minute for 4t. It should work right now.

There was no error for the normal domain, only the 4t one. And I’ll try that now.

No errors! Should I run it for real?

Sure. Keep in mind if you use certonly (meaning you’ll manually configure nginx with the certificate), you’ll probably want to add something like --deploy-hook "service nginx reload", so that Certbot automatically reloads nginx after the cert gets renewed.

If on the other hand you let Certbot configure nginx for you, you can just use --nginx instead of certonly, and it’ll all be automated.