Connection Refused error

Hello,

I am trying obtain certificate with acme.sh . My boulder service ip address is : http://192.168.6.91:4001/directory. It is local area ip address.

I ran command from 192.168.6.90 machine . this ip adress domain is :robust.mqtttest.com

This command is : ./acme.sh --issue -d robust.mqtttest.com --server http://192.168.6.91:4001/directory -w /var/www/robust.test.com/html/ --debug

Acme output is :

[Fri Jul 5 18:47:47 +03 2019] Lets find script dir.
[Fri Jul 5 18:47:47 +03 2019] SCRIPT=’./acme.sh’
[Fri Jul 5 18:47:47 +03 2019] _script=’/root/.acme.sh/acme.sh’
[Fri Jul 5 18:47:47 +03 2019] _script_home=’/root/.acme.sh’
[Fri Jul 5 18:47:47 +03 2019] Using config home:/root/.acme.sh
https://github.com/Neilpang/acme.sh
v2.8.2
[Fri Jul 5 18:47:47 +03 2019] Using server: http://192.168.6.91:4001/directory
[Fri Jul 5 18:47:47 +03 2019] _main_domain=‘robust.mqtttest.com
[Fri Jul 5 18:47:47 +03 2019] _alt_domains=‘no’
[Fri Jul 5 18:47:47 +03 2019] Using config home:/root/.acme.sh
[Fri Jul 5 18:47:47 +03 2019] ACME_DIRECTORY=‘http://192.168.6.91:4001/directory
[Fri Jul 5 18:47:47 +03 2019] DOMAIN_PATH=’/root/.acme.sh/robust.mqtttest.com’
[Fri Jul 5 18:47:47 +03 2019] Using ACME_DIRECTORY: http://192.168.6.91:4001/directory
[Fri Jul 5 18:47:47 +03 2019] _init api for server: http://192.168.6.91:4001/directory
[Fri Jul 5 18:47:47 +03 2019] GET
[Fri Jul 5 18:47:47 +03 2019] url=‘http://192.168.6.91:4001/directory
[Fri Jul 5 18:47:47 +03 2019] timeout=
[Fri Jul 5 18:47:47 +03 2019] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jul 5 18:47:47 +03 2019] ret=‘0’
[Fri Jul 5 18:47:47 +03 2019] ACME_KEY_CHANGE=‘http://192.168.6.91:4001/acme/key-change
[Fri Jul 5 18:47:47 +03 2019] ACME_NEW_AUTHZ
[Fri Jul 5 18:47:47 +03 2019] ACME_NEW_ORDER=‘http://192.168.6.91:4001/acme/new-order
[Fri Jul 5 18:47:47 +03 2019] ACME_NEW_ACCOUNT=‘http://192.168.6.91:4001/acme/new-acct
[Fri Jul 5 18:47:47 +03 2019] ACME_REVOKE_CERT=‘http://192.168.6.91:4001/acme/revoke-cert
[Fri Jul 5 18:47:47 +03 2019] ACME_AGREEMENT=‘https://boulder:4431/terms/v7
[Fri Jul 5 18:47:47 +03 2019] ACME_NEW_NONCE=‘http://192.168.6.91:4001/acme/new-nonce
[Fri Jul 5 18:47:47 +03 2019] ACME_VERSION=‘2’
[Fri Jul 5 18:47:47 +03 2019] Le_NextRenewTime
[Fri Jul 5 18:47:47 +03 2019] _on_before_issue
[Fri Jul 5 18:47:47 +03 2019] _chk_main_domain=‘robust.mqtttest.com
[Fri Jul 5 18:47:47 +03 2019] _chk_alt_domains
[Fri Jul 5 18:47:47 +03 2019] Le_LocalAddress
[Fri Jul 5 18:47:47 +03 2019] d=‘robust.mqtttest.com
[Fri Jul 5 18:47:47 +03 2019] Check for domain=‘robust.mqtttest.com
[Fri Jul 5 18:47:47 +03 2019] _currentRoot=’/var/www/robust.test.com/html/’
[Fri Jul 5 18:47:47 +03 2019] d
[Fri Jul 5 18:47:47 +03 2019] _saved_account_key_hash is not changed, skip register account.
[Fri Jul 5 18:47:47 +03 2019] Read key length:
[Fri Jul 5 18:47:47 +03 2019] _createcsr
[Fri Jul 5 18:47:47 +03 2019] Single domain=‘robust.mqtttest.com
[Fri Jul 5 18:47:47 +03 2019] Getting domain auth token for each domain
[Fri Jul 5 18:47:47 +03 2019] d
[Fri Jul 5 18:47:47 +03 2019] url=‘http://192.168.6.91:4001/acme/new-order
[Fri Jul 5 18:47:47 +03 2019] payload=’{“identifiers”: [{“type”:“dns”,“value”:“robust.mqtttest.com”}]}’
[Fri Jul 5 18:47:47 +03 2019] RSA key
[Fri Jul 5 18:47:47 +03 2019] HEAD
[Fri Jul 5 18:47:47 +03 2019] _post_url=‘http://192.168.6.91:4001/acme/new-nonce
[Fri Jul 5 18:47:47 +03 2019] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jul 5 18:47:47 +03 2019] _ret=‘0’
[Fri Jul 5 18:47:47 +03 2019] POST
[Fri Jul 5 18:47:47 +03 2019] _post_url=‘http://192.168.6.91:4001/acme/new-order
[Fri Jul 5 18:47:47 +03 2019] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jul 5 18:47:48 +03 2019] _ret=‘0’
[Fri Jul 5 18:47:48 +03 2019] code=‘201’
[Fri Jul 5 18:47:48 +03 2019] Le_LinkOrder=‘http://192.168.6.91:4001/acme/order/3/52
[Fri Jul 5 18:47:48 +03 2019] Le_OrderFinalize=‘http://192.168.6.91:4001/acme/finalize/3/52
[Fri Jul 5 18:47:48 +03 2019] url=‘http://192.168.6.91:4001/acme/authz/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI
[Fri Jul 5 18:47:48 +03 2019] payload
[Fri Jul 5 18:47:48 +03 2019] POST
[Fri Jul 5 18:47:48 +03 2019] _post_url=‘http://192.168.6.91:4001/acme/authz/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI
[Fri Jul 5 18:47:48 +03 2019] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jul 5 18:47:48 +03 2019] _ret=‘0’
[Fri Jul 5 18:47:48 +03 2019] code=‘200’
[Fri Jul 5 18:47:48 +03 2019] d=‘robust.mqtttest.com
[Fri Jul 5 18:47:48 +03 2019] Getting webroot for domain=‘robust.mqtttest.com
[Fri Jul 5 18:47:48 +03 2019] _w=’/var/www/robust.test.com/html/’
[Fri Jul 5 18:47:48 +03 2019] _currentRoot=’/var/www/robust.test.com/html/’
[Fri Jul 5 18:47:48 +03 2019] entry=’“type”:“http-01”,“status”:“pending”,“url”:“http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162",“token”:"4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ”’
[Fri Jul 5 18:47:48 +03 2019] token=‘4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ’
[Fri Jul 5 18:47:48 +03 2019] uri=‘http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162
[Fri Jul 5 18:47:48 +03 2019] keyauthorization=‘4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ.C0wwkJ28zDf0qsxl9cdJh09vkHJ2vbDlL0Q5CspYVUU’
[Fri Jul 5 18:47:48 +03 2019] dvlist=‘robust.mqtttest.com#4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ.C0wwkJ28zDf0qsxl9cdJh09vkHJ2vbDlL0Q5CspYVUU#http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162#http-01#/var/www/robust.test.com/html/
[Fri Jul 5 18:47:48 +03 2019] d
[Fri Jul 5 18:47:48 +03 2019] vlist=‘robust.mqtttest.com#4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ.C0wwkJ28zDf0qsxl9cdJh09vkHJ2vbDlL0Q5CspYVUU#http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162#http-01#/var/www/robust.test.com/html/,’
[Fri Jul 5 18:47:48 +03 2019] d=‘robust.mqtttest.com
[Fri Jul 5 18:47:48 +03 2019] ok, let’s start to verify
[Fri Jul 5 18:47:48 +03 2019] Verifying: robust.mqtttest.com
[Fri Jul 5 18:47:48 +03 2019] d=‘robust.mqtttest.com
[Fri Jul 5 18:47:48 +03 2019] keyauthorization=‘4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ.C0wwkJ28zDf0qsxl9cdJh09vkHJ2vbDlL0Q5CspYVUU’
[Fri Jul 5 18:47:48 +03 2019] uri=‘http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162
[Fri Jul 5 18:47:48 +03 2019] _currentRoot=’/var/www/robust.test.com/html/’
[Fri Jul 5 18:47:48 +03 2019] wellknown_path=’/var/www/robust.test.com/html//.well-known/acme-challenge’
[Fri Jul 5 18:47:48 +03 2019] writing token:4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ to /var/www/robust.test.com/html//.well-known/acme-challenge/4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ
[Fri Jul 5 18:47:48 +03 2019] Changing owner/group of .well-known to root:root
[Fri Jul 5 18:47:48 +03 2019] url=‘http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162
[Fri Jul 5 18:47:48 +03 2019] payload=’{}’
[Fri Jul 5 18:47:48 +03 2019] POST
[Fri Jul 5 18:47:48 +03 2019] _post_url=‘http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162
[Fri Jul 5 18:47:48 +03 2019] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jul 5 18:47:48 +03 2019] _ret=‘0’
[Fri Jul 5 18:47:48 +03 2019] code=‘200’
[Fri Jul 5 18:47:48 +03 2019] trigger validation code: 200
[Fri Jul 5 18:47:48 +03 2019] sleep 2 secs to verify
[Fri Jul 5 18:47:50 +03 2019] checking
[Fri Jul 5 18:47:50 +03 2019] url=‘http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162
[Fri Jul 5 18:47:50 +03 2019] payload
[Fri Jul 5 18:47:50 +03 2019] POST
[Fri Jul 5 18:47:50 +03 2019] _post_url=‘http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162
[Fri Jul 5 18:47:50 +03 2019] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jul 5 18:47:50 +03 2019] _ret=‘0’
[Fri Jul 5 18:47:50 +03 2019] code=‘200’
[Fri Jul 5 18:47:50 +03 2019] robust.mqtttest.com:Verify error:Fetching http://robust.mqtttest.com/.well-known/acme-challenge/4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ: Connection refused
[Fri Jul 5 18:47:50 +03 2019] Debug: get token url.
[Fri Jul 5 18:47:50 +03 2019] GET
[Fri Jul 5 18:47:50 +03 2019] url=‘http://robust.mqtttest.com/.well-known/acme-challenge/4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ
[Fri Jul 5 18:47:50 +03 2019] timeout=1
[Fri Jul 5 18:47:50 +03 2019] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header -g --connect-timeout 1’
4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ.C0wwkJ28zDf0qsxl9cdJh09vkHJ2vbDlL0Q5CspYVUU[Fri Jul 5 18:47:50 +03 2019] ret=‘0’
[Fri Jul 5 18:47:50 +03 2019] Debugging, skip removing: /var/www/robust.test.com/html//.well-known/acme-challenge/4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ
[Fri Jul 5 18:47:50 +03 2019] pid
[Fri Jul 5 18:47:50 +03 2019] No need to restore nginx, skip.
[Fri Jul 5 18:47:50 +03 2019] _clearupdns
[Fri Jul 5 18:47:50 +03 2019] dns_entries
[Fri Jul 5 18:47:50 +03 2019] skip dns.
[Fri Jul 5 18:47:50 +03 2019] _on_issue_err
[Fri Jul 5 18:47:50 +03 2019] Please add ‘–debug’ or ‘–log’ to check more details.
[Fri Jul 5 18:47:50 +03 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Fri Jul 5 18:47:50 +03 2019] url=‘http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162
[Fri Jul 5 18:47:50 +03 2019] payload=’{}’
[Fri Jul 5 18:47:50 +03 2019] POST
[Fri Jul 5 18:47:50 +03 2019] _post_url=‘http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162
[Fri Jul 5 18:47:50 +03 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jul 5 18:47:50 +03 2019] _ret=‘0’
[Fri Jul 5 18:47:50 +03 2019] code=‘400’

But i am trying to GET “http://robust.mqtttest.com/.well-known/acme-challenge/4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ” server return value.

Even i run curl http://robust.mqtttest.com/.well-known/acme-challenge/4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ from boulder container, return value.

root@203f5249f790:~# curl http://robust.mqtttest.com/.well-known/acme-challenge/4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ
4w6gfEGTwDTs_aTR-jV4fyeice3p16vmC-Vy3FInFbQ.C0wwkJ28zDf0qsxl9cdJh09vkHJ2vbDlL0Q5CspYVUUroot@203f5249f790:~#

But boulder not connecting this key.

What could be the reason?

Sounds potentially like your Boulder installation might have an incorrect view of DNS. (Note, that Boulder uses a different DNS resolver to that used by curl, even in the same container. This is part of the VA configuration).

Open up the challenge URL on Boulder:

http://192.168.6.91:4001/acme/challenge/synN_nLw0e-G9macx28wXcIo8axWhkFANeOdN6xzmPI/162

It will contain the record of what IP address(es) Boulder is using to connect to your domain. e.g.

"validationRecord": [
  {
    "url": "http://example.com/.well-known/acme-challenge/xxx",
    "hostname": "example.com",
    "port": "80",
    "addressesResolved": [
      "1.2.3.4"
    ],
    "addressUsed": "1.2.3.4"
  }
]

Confirm that it is resolving to the correct host.

My boulder server installed on x.x.x.91 host. if i create new certificate request from x.x.x.90 host, i changed FAKE_DNS value x.x.x.90. If i create new certificate request from x.x.x.94, i changed FAKE_DNS value x.x.x.94.

I dont want to change FAKE_DNS value.

What can i do for it?

You shouldn’t use FAKE_DNS at all.

You need to set real dnsResolvers in test/config/va.json so that your domains get resolved using real DNS.

See https://github.com/letsencrypt/boulder/wiki/Deployment-&-Implementation-Guide#ports-and-dns