Conection refused on challenge

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: quartermarsh.org

I ran this command: sudo certbot certonly --webroot -v

It produced this output: Domain: quartermarsh.org
Type: connection
Detail: 209.121.149.xxx: Fetching http://quartermarsh.org/.well-known/acme-challenge/PptaFOn5FBloQekh_9VCwIvlNlVswQuwFez8pSgHcQE: Connection refused

My web server is (include version): apache2 latest

The operating system my web server runs on is (include version): MacOS 10.15.7

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

My webroot directory is at ~/Sites - permissions are rw for admin, user, staff, everyone

Port 80 is allowed in router firewall (in & outbound) also port forwarded for the machine

No firewall rules (afaict)

I’m missing something. Perhaps the overall webroot arrangement? httpd.conf should be allowing access to hidden directories (except that this directory isn’t hidden, so?)

apachectl configtest returns: Syntax ok. Also: [alias:warn] [pid 35177] AH00671: The Alias directive in /private/etc/apache2/httpd.conf at line 569 will probably never match because it overlaps an earlier Alias.

I also have no .well-known/acme-challenge/ folder or I haven’t found it yet. Maybe that’s because the verification failed. Or something to do with the Alias directive above

Finally, if it’s relevant this is a namecheap domain with an A record for the external ip and an url redirect to www.quartermarsh.org and CNAME record for www.quartermarsh.org

If I can provide any more info I’d be happy to.

You know how DNS works, right?

$ dig +short a quartermarsh.org
209.121.149.132
162.255.119.85

Are these IP addresses both right? If not, remove the one that isn't.

Not as well as I could it seems. Thanks for the catch. The first is my external IP. The second one is a namecheap IP according to whois. So, the question is, which of the three records I have set up in advanced DNS might be causing this extra IP address? Would it be the url redirect? Its: Host = @ Value = www.quartermarsh.org with an "Unmasked" flag. If indeed the dns records at namecheap are the cause. I’m not sure how to adjust the dns record to remove the other IP address. Any insights would be greatly appreciated.

Screenshot 12308×660 36.3 KB

Yep, that "redirect" record looks like it's the issue, try removing it.

Ok, I removed it but dig returns the same results. Maybe it takes a while for the change to take effect. I flushed the dns cache on the server machine.

It's probably the cache of your local resolver. I see a single IP.

$ dig +short a quartermarsh.org
209.121.149.132

Right. Perhaps the browser cache?

Yup. That got it.

Many thanks for the catch and the assist.

That IP wasn't responding, though.

I'd check my firewall (port 80 and 443 tcp)

Do you mean responding to a ping? It’s blocked. The router firewall has 80 and 433 allowed. Although I only have 80 port forwarded on the server machine.

Your HTTP (port 80) requests look normal now. Have you retried getting a cert?

Yes. Result:

Domain: quartermarsh.org
Type: unauthorized
Detail: 209.121.149.132: Invalid response from http://quartermarsh.org/.well-known/acme-challenge/GNxq9jJz9Elg4nkYIa6hZ7yGvxWhEffXyK1PWVp0vcA: 404

I’m willing to bet it's all down to the httpd.conf and the webroot directory permissions somehow.

And: Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Content is being served from the specified directory. The temp challenge files don’t exist and I don’t see a denied attempt in firewall records.

Is that the correct IP?

maybe. did you tell certbot where your webroot is?

I didn't see it in your command above. try with:

sudo certbot certonly --staging --webroot -w /path/to/webroot -v

Yes, a 404 is an http error Not Found. You might try

sudo certbot certonly --apache --dry-run

If that works remove --dry-run to get a production cert

The --apache plug-in will insert temp code into your Apache config for handling the HTTP Challenge.

Your first post showed some problems with Alias statements so without seeing your VirtualHost config it is hard to say for sure what will work.

This subfolder gets created by Certbot and removed after the challenge.

Yes, it’s my external IP.

Thanks! I ran that and it returned: The requested apache plugin does not appear to be installed.

Is that httpd-vhosts.conf? Or could you let me know which plugin I should enable. (Or does plugin mean module? See below.) I’ve been using the defaults in httpd.conf as this is a dry run set up for a pluggable transport which I won’t actually be able to run on this server because it’s running a bridge at the moment. As far as I can tell a vhost config isn’t necessary for a single server config, but I could be (and frequently am) wrong.

Here’s the current output of apachectl -S:

mini@Minis-Mac-mini ~ % apachectl -S

[Sat Aug 19 08:44:24.384942 2023] [alias:warn] [pid 72020] AH00671: The Alias directive in /private/etc/apache2/httpd.conf at line 569 will probably never match because it overlaps an earlier Alias.

[Sat Aug 19 08:44:24.385522 2023] [alias:warn] [pid 72020] AH00671: The Alias directive in /private/etc/apache2/httpd.conf at line 576 will probably never match because it overlaps an earlier Alias.

[Sat Aug 19 08:44:24.385571 2023] [alias:warn] [pid 72020] AH00671: The Alias directive in /private/etc/apache2/httpd.conf at line 583 will probably never match because it overlaps an earlier Alias.

VirtualHost configuration:

ServerRoot: "/usr"

Main DocumentRoot: "/Users/mini/Sites"

Main ErrorLog: "/private/var/log/apache2/error_log"

Mutex mpm-accept: using_defaults

Mutex rewrite-map: using_defaults

Mutex default: dir="/private/var/run/" mechanism=default

PidFile: "/private/var/run/httpd.pid"

Define: DUMP_VHOSTS

Define: DUMP_RUN_CFG

Define: MODPERL2

User: name="mini" id=501 not_used

Group: name="staff" id=20 not_used

The alias statements keep getting added to httpd.conf every time I tried to issue a cert (it was happening previously when I was running the --issue command from ./acme.sh in apache mode).
I’ve just checked and the alias module is not enabled in httpd.conf.

So, should I configure a virtual host in httpd-vhosts.conf? Or just enable Virtual hosts in httpd.conf without configuring a VHOST? On other attempts I’ve just removed (edited out) the alias statements from httpd.conf and tried again.

Again, thanks for your help.

Please show:
apachectl -t -D DUMP_VHOSTS

mini@Minis-Mac-mini ~ % apachectl -t -D DUMP_VHOSTS

[Sat Aug 19 10:18:21.795627 2023] [alias:warn] [pid 75767] AH00671: The Alias directive in /private/etc/apache2/httpd.conf at line 569 will probably never match because it overlaps an earlier Alias.

[Sat Aug 19 10:18:21.796201 2023] [alias:warn] [pid 75767] AH00671: The Alias directive in /private/etc/apache2/httpd.conf at line 576 will probably never match because it overlaps an earlier Alias.

[Sat Aug 19 10:18:21.796241 2023] [alias:warn] [pid 75767] AH00671: The Alias directive in /private/etc/apache2/httpd.conf at line 583 will probably never match because it overlaps an earlier Alias.

VirtualHost configuration:

I was about to try enabling Virtual hosts in httpd.conf.

Please show the entire output.
It should clarify the problem.

Oddly enough, that was the entire output. I expect the reason is that Virtual hosts is not enabled in httpd.conf. Give me a minute and I’ll enable it...