Connection gets refused

My domain is: urlaub.bsb.net

I ran this command: cerbot certonly --standalone -d urlaub.bsb.net

It produced this output:

   Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator standalone, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for urlaub.bsb.net
    Waiting for verification...
    Cleaning up challenges
    Failed authorization procedure. urlaub.bsb.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://urlaub.bsb.net/.well-known/acme-challenge/pGaMSwlhger0pFLeD2qSkrLqyKx-We0DmiwbGmEn8cQ: Connection refused

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: urlaub.bsb.net
   Type:   connection
   Detail: Fetching
   http://urlaub.bsb.net/.well-known/acme-challenge/pGaMSwlhger0pFLeD2qSkrLqyKx-We0DmiwbGmEn8cQ:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): No application is running on server yet. Will use the certificate for a spring boot application.

The operating system my web server runs on is (include version): Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don’t know): Yes (It’s a local machine in our company requests to urlaub.bsb.net on port 80 / 443 are redirected to my machine).

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

**root@urlaub** : **~** # dig urlaub.bsb.net

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> urlaub.bsb.net

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53946

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 65494

;; QUESTION SECTION:

;urlaub.bsb.net. IN A

;; ANSWER SECTION:

urlaub.bsb.net. 3214 IN A 80.245.135.227

;; Query time: 1 msec

;; SERVER: 127.0.0.53#53(127.0.0.53)

;; WHEN: Tue Oct 02 15:28:08 CEST 2018

;; MSG SIZE rcvd: 59

We don’t have IPv6 so there is now ANSWER for AAAA:

**root@urlaub** : **~** # dig aaaa urlaub.bsb.net

; <<>> DiG 9.11.3-1ubuntu1.2-Ubuntu <<>> aaaa urlaub.bsb.net

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44364

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 65494

;; QUESTION SECTION:

;urlaub.bsb.net. IN AAAA

;; Query time: 43 msec

;; SERVER: 127.0.0.53#53(127.0.0.53)

;; WHEN: Tue Oct 02 15:29:25 CEST 2018

;; MSG SIZE rcvd: 43

Hi,

Connection refused usually means there are some issue with either port forwarding or there is a firewall blocking the connection.

If you visit your site outside your company network (e.g. use a VPN or your mobile data) you are likely to see the same error message as let’s encrypt validation server, connection refused.

You may need to contact your IT department to fix this.

Thank you

I’ve told this to my system administrator, but he ensured me that the ports are forwarded to my internal ip address.

Edit: There is no web site. Like already mentioned in my first posting a spring boot application should run on this server later on.

The port redirection is probably not working properly. Could you test it by setting up a web server temporarily and seeing if you can access it from the outside world? If you don’t have any web server software installed on that machine, you might be able to use sudo python -m SimpleHTTPServer 80 instead.

Had the idea to install apache on it just out of curiosity whether our system administrator made some mess with the redirection, hadn’t had the time today though. But your suggestion is like gold. If it’s that easy to run a web application for testing purposes I’ll try it out on Thursday (the company is closed tomorrow due to a public holiday german unification day).

However I’ve one more question. Is it correct that there is no need to have an application listening to port 80 / 443? As far as I understood ‘certbot certonly --standalone’ starts an own small http server for giving letsencrypt the ability to check whether our server is the one it claims to be? Correct?

So if entering my command following steps are happening behind the scenes:
cerbot certonly --standalone -d urlaub.bsb.net
1.) certbot starts a small http server.
2.) certbot tells letsencrypt that we need a certificate for urlaub.bsb.net and tells where we’ve placed the file that letsencrypt should try to acces.
3.) letsencrypt tries to access http://urlaub.bsb.net/.well-known/acme-challenge/SOMEINCOMPREHENSABLELETTERSANDDIGITS
4.) If letsencrypt was able to fetch the file, it signs our certificate.

Is it correct?

Yes... It's not required when you use standalone (since standalone will setup a simple validation only server to do the challenges)

It's right....
However, when you are running a existing server and trying to renew the certificate (with standalone), it have a chance to fail since the existing web server will bind to port 80 & 443.

Thank you

My actual application will not use port 80 or 443. Spring boot applications are using port 8080 by default, since these are tomcat/jetty based applications out of a jar.
So the renewal is not a problem for me, is it?

Yup... Just FYI: you may need to restart / reload the application everytime after the certificate renewal in order for the application to pickup the new certificate.

Thank you

It was an issue with redirection… So our network administrator forgot a simple thing which led the redirection to fail. Now I was able to create the certificate. Thanks both of you for the helpful hints. Especially @schoen for the hint with the http server out of box using python. This saved me a lot of time to prove our network admin the error would occur due to redirection failures.

Can be closed (I don’t know, if I’m able to close it by myself).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.