Certificate Renewal acme challenge connection refused

Help
1

Hello,

I am trying to renew the certificates on a Cent OS 7 with NGINX system using certbot 0.14.1.

The nginx configuration file has the right directives to serve the challenge files:

location /.well-known/acme-challenge {
allow all;
root /var/www/;
}

any static files I manually create in ./well-known/acme-challenge are correctly served in the browser. Using curl -Ikl4 on that file will return HTTP/1.1 200 OK. Trying however -Ikl6 will trigger a "Could not resolve host message.

There only CNAME entries in my Zone Editor - no A nor AAAA names.

The challenges entry in the log is the following:

{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “Fetching /.well-known/acme-challenge/ciMTLpZFSePCK0fY7utY3a8bBb8r7uQnQyEWjfWd6C8: Connection refused”,
“status”: 400
},
“uri”: “https://acme-staging.api.letsencrypt.org/acme/challenge/hbdEONE1A02Hy7gkAy34MscKd9fmsJRThp1RR-5dTX8/74616354”,
“token”: “ciMTLpZFSePCK0fY7utY3a8bBb8r7uQnQyEWjfWd6C8”,
“keyAuthorization”: “ciMTLpZFSePCK0fY7utY3a8bBb8r7uQnQyEWjfWd6C8.dL7zY1jvk3djd-OsCwBdLqtHaJ5s64ZndgTblTPn-DE”,
“validationRecord”: [
{
“url”: “/.well-known/acme-challenge/ciMTLpZFSePCK0fY7utY3a8bBb8r7uQnQyEWjfWd6C8”,
“hostname”: “”,
“port”: “80”,
“addressesResolved”: [
“123.345.567.789”
],
“addressUsed”: “123.345.567.789”,
“addressesTried”: []
}
]
},

Does the “addressesTried” being empty having a impact on the connection refused message?

I would truly appreciate any help and hint on how I could proceed solving the problem. Thanks!

2

Please mention the affected domain name.

3

A quick update on how I worked around the above issue:

  • updated certbot to the latest version 0.19.0
  • running certbot --renew still failed to update the certificates due to the “Connection refused” on the acme challenge
  • running certbot in manual mode certbot certonly --manual -d <domain> and placing the challenge files manually in the ./well-known/acme-challenge folder worked fine. The files could be accessed and a new certificate has been issued. No further changes have been performed to the system nor to the nginx configuration
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.