Challenge failed for domain

vlio20 · July 21, 2020, 6:01pm

My domain is: digifo.io

I ran this command: ./init-letsencrypt.sh

It produced this output:
### Creating dummy certificate for digifo.io …
Generating a RSA private key
…+++++
…+++++
writing new private key to ‘/etc/letsencrypt/live/digifo.io/privkey.pem’
-----

### Starting nginx ...
Recreating digifo_nginx_1 ... done

### Deleting dummy certificate for digifo.io ...

### Requesting Let's Encrypt certificate for digifo.io ...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for digifo.io
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain digifo.io
http-01 challenge for digifo.io
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: digifo.io
   Type:   connection
   Detail: Fetching
   http://digifo.io/.well-known/acme-challenge/P81q7EYRm5eBwj-m3bSHe2K4yHZUAEfDeAf11eHFvDg:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

### Reloading nginx ...
ERROR: Container 8f6a469bb3c755868743df7ce55c52461896290d388d66b4064fe515eb0d70fc is restarting, wait until the container is running

My web server is (include version): ubuntu 18.

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I am using latest cerbot docker image

I’ve followed the following blog post: https://medium.com/@pentacent/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71
Which suggests to use a helper script ./init-letsencrypt.sh (https://github.com/wmnnd/nginx-certbot/blob/master/init-letsencrypt.sh)

As mentioned I am using docker for both nginx and cerbot. Here is the docker-compose file:

  app1: &app1
    image: vlio20/digifo:${APP_TAG}
    container_name: app1
    ports:
      - "8080:8080"
    environment:
      - NODE_ENV=prod
    networks:
      - docker
    depends_on:
      - mysql
    logging:
      <<: *logging

  nginx:
    image: nginx:alpine
    restart: unless-stopped
    volumes:
      - ./revers-proxy/nginx:/etc/nginx/
      - ./revers-proxy/certbot/conf:/etc/letsencrypt
      - ./revers-proxy/certbot/www:/var/www/certbo
    ports:
      - "80:80"
      - "443:443"
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
    networks:
      - docker
    logging:
      <<: *logging

  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./revers-proxy/certbot/conf:/etc/letsencrypt
      - ./revers-proxy/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

and here is my nginx config:

server {
  listen 80;
  server_name digifo.io;
  server_tokens off;

  location /.well-known/acme-challenge/ {
    root /var/www/certbot;
  }

  location / {
    return 301 https://$host$request_uri;
  }
}

server {
  listen 443 ssl;
  server_name digifo.io;
  server_tokens off;

  ssl_certificate /etc/letsencrypt/live/digifo.io/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/digifo.io/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

  location / {
    proxy_pass  http://app1:8080;
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
  }
}

I don’t have any firewall set. What did I miss?

_az · July 21, 2020, 10:19pm

I don't think if it would make any difference at this point, but this appears to be a typo:

I would suggest trying to first isolate the "Connection refused" error, by getting the nginx container running without any certificate (and removing the port 443 server block).

When you can confirm that the webserver is accessible from the internet in that simple setup, then you can look into using the script again.

This will allow you to identify where the failure is coming from.

vlio20 · July 22, 2020, 4:37am

Thanks. I fixed the typo - didn’t help.

I already validated that the webserver is accessible when having the following setup:

    events {}

    http {
      upstream app {
        server app1:8080;
        server app2:8080;
      }

      gzip on;
      gzip_vary on;
      gzip_proxied any;
      gzip_comp_level 6;
      gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

      server {
        listen 80;

        location = / {
          return 302 /Digifo;
        }

        location / {
          proxy_pass http://app;
        }
      }
    }

Note that this setup has a load balancer configuration

_az · July 22, 2020, 4:49am

Is it accessible right now? I get the same error as the Let’s Encrypt validation server does, on both addresses:

$ curl -i -6 digifo.io
curl: (7) Failed to connect to digifo.io port 80: Connection refused
$ curl -i -4 digifo.io
curl: (7) Failed to connect to digifo.io port 80: Connection refused

vlio20 · July 22, 2020, 5:50am

Now for some reason I started getting the following error from nginx:

nginx_1    | /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
nginx_1    | /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
nginx_1    | 10-listen-on-ipv6-by-default.sh: error: /etc/nginx/conf.d/default.conf is not a file or does not exist
nginx_1    | /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
nginx_1    | /docker-entrypoint.sh: Configuration complete; ready for start up
nginx_1    | 2020/07/22 05:44:41 [emerg] 1#1: "server" directive is not allowed here in /etc/nginx/nginx.conf:1
nginx_1    | nginx: [emerg] "server" directive is not allowed here in /etc/nginx/nginx.conf:1

vlio20 · July 22, 2020, 5:53am

Fixed, should be available now:
digifo.io

the nginx config is as follows:

events {}

http {
  upstream app {
    server app1:8080;
    server app2:8080;
  }

  gzip on;
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

  server {
    listen 80;

    location = / {
      return 302 /Digifo;
    }

    location / {
      proxy_pass http://app;
    }
  }
}

vlio20 · July 22, 2020, 8:59am

@_az any suggestions on what to do next?

_az · July 22, 2020, 9:46am

I guess try continue the tutorial from the Now we can make nginx serve the challenge files from certbot! step?

The way the tutorial suggests doing things is not exactly ideal, but as long as you make the right modifications to init-letsencrypt.sh, it seems like it should work.

If you end up with the “connection refused” error again, check nginx for errors as you did last time.

vlio20 · July 22, 2020, 1:36pm

Now the nginx configuration is:

events {}

http {
  upstream app {
    server app1:8080;
    server app2:8080;
  }

  gzip on;
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

  server {
    listen 80;
    server_name digifo.io;
    server_tokens off;

    location /.well-known/acme-challenge/ {
      root /var/www/certbot;
    }

    location = / {
      return 302 /Digifo;
    }

    location / {
      return 301 https://$host$request_uri;
    }
  }

  server {
    listen 443 ssl;
    server_name digifo.io;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/digifo.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/digifo.io/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    location = / {
      return 302 /Digifo;
    }

    location / {
      proxy_pass  http://app;
      proxy_set_header    Host                $http_host;
      proxy_set_header    X-Real-IP           $remote_addr;
      proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
  }
}

and here is the output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for digifo.io
Using the webroot path /var/www/certbot for all unmatched domains.
Waiting for verification...
Challenge failed for domain digifo.io
http-01 challenge for digifo.io
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: digifo.io
   Type:   connection
   Detail: Fetching
   http://digifo.io/.well-known/acme-challenge/CWS54nfxl_qgj8jUbBBSuVE9OPH9RSYv0IGWXsteeEU:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

### Reloading nginx ...
ERROR: No container found for nginx_1

vlio20 · July 22, 2020, 5:05pm

There was another issue in my docker-compose file:

worked with:

nginx:
    image: nginx:alpine
    restart: unless-stopped
    volumes:
      - ./revers-proxy/nginx:/etc/nginx/
      - ./revers-proxy/certbot/conf:/etc/letsencrypt
      - ./revers-proxy/certbot/www:/var/www/certbot
    ports:
      - "80:80"
      - "443:443"
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
    networks:
      - docker
    logging:
      <<: *logging

  certbot:
    image: certbot/certbot
    restart: unless-stopped
    volumes:
      - ./revers-proxy/certbot/conf:/etc/letsencrypt
      - ./revers-proxy/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"

system · August 21, 2020, 5:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Http-01 Challenge failed and Connection refused Help	5	2304	June 1, 2020
Connection refused - Docker & nginx Help	2	3840	March 17, 2020
certbot.errors.AuthorizationError: Some challenges have failed Help	11	15722	December 12, 2019
Connection Refused When Requesting for New Certificate Help	5	2436	December 12, 2019
CA is likely to fail as well / connection refused while connecting to upstream client Help	3	2450	November 24, 2017

Challenge failed for domain

Related topics