Connection refuse error for getting a new certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
docker-compose run --rm --entrypoint "certbot certonly --webroot -w /var/www/certbot --email -d --rsa-key-size 4096 --agree-tos --force-renewal" certbot

It produced this output:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Type: connection
Detail: Fetching Connection refused

My web server is (include version):

The operating system my web server runs on is (include version):
Amazon Linux 2023

My hosting provider, if applicable, is:
aws EC2

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
docker image: certbot/certbot

More details about this:

The code was working before, I changed nothing and get error like above. The code source is come from Nginx and Let’s Encrypt with Docker in Less Than 5 Minutes | by Philipp | Medium. The code which run certbot server is part of which comes from the code source. Consider it works before(I successfully get a new certificate), it's unlikely causing by my code. Could you kindly take a look why I get this error?

Why are you using this option?




Oh! I see the logic. It might be the problem why I get this error. I just follow the tuturial, and since it works I didn't change it too much. Let me remove it and see if it works well!

It will likely fail with:

TCP port 80 must be open when using HTTP-01 authentication.


No, it isn't, but it doesn't help at all also. It usually only leads to excessive load on the Let's Encrypt systems and running into rate limits for the user.

In fact, you're already a single certificate away from hitting the duplicate cert rate limit:

What tutorial suggested using --force-renewal? The article in your first post? Because that article doesn't say anything about --force-renewal.


Yeah, that's what I thought. I'm pretty new to using certbot and I'm trying to debug something. So I have no idea my code is letting me force renew my certificate, until I reach the limitation (which let me think it might work latter, and all I need to do is waiting :frowning: ), and I also change some logic here to not to force new certificate right now. Thank you so much for your help! :slight_smile:

1 Like

I think it make more sense that it's just I reach the limitation of my request of certificate(since it works before, but not works now, and I changed nothing about certbot part). But thank you so much for you help!:slight_smile:

1 Like

A connection refused error usually means the webserver is not running. Or a portmap is mapped to a host without a running webserver (e.g., the wrong host).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.