Connection refused from my IP when renewing for nginx!

Help
1

Hi;

I have a certificate which have just expired. I received notification emails for renewal, but I have it automated, or so I thought :frowning:

I am getting this strange error:

# certbot renew --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/mtailounie.net.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Attempting to renew cert from /etc/letsencrypt/renewal/mtailounie.net.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fc6b25f4240>: Failed to establish a new connection: [Errno 111] Connection refused',)). Skipping.

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mtailounie.net/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

I have tried to test the connection to acme-v01.api.letsencrypt.org with openssl, but it is refused from my server.

Is it possible that Let’s Encrypt have blocked my IP address? Whay?

Thank you

2

Hi @linuxero,

I don't think this is the most likely explanation. Can your webserver reach other websites (letsencrypt.org, google.com, etc) without issue? Can you share the output from running mtr -c 20 -w -r acme-v01.api.letsencrypt.org? (You may need to install mtr first).

3

Hi cpu;

I can easily reach other websites. Here’s the output of the mtr command:

# mtr -c 20 -w -r acme-v01.api.letsencrypt.org
Start: Tue Dec 12 09:31:05 2017
HOST: mx0.mtailounie.net                           Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 198.27.67.253                                 0.0%    20  169.5  53.1   0.6 303.8  88.7
  2.|-- po101.bhs-g1-a75.qc.ca                        0.0%    20    0.3   0.3   0.3   0.6   0.0
  3.|-- 10.95.81.8                                    0.0%    20    1.6  14.4   1.3 124.0  34.5
  4.|-- be100-1319.nwk-1-a9.nj.us                     0.0%    20    8.1   8.3   8.1   8.6   0.0
  5.|-- be100-2.nwk-5-a9.nj.us                        0.0%    20    8.6   8.3   8.1   8.6   0.0
  6.|-- above.net                                     0.0%    20    8.4   8.4   8.3   8.7   0.0
  7.|-- ae11.cs2.lga5.us.zip.zayo.com                 0.0%    20   44.9  44.7  44.2  47.7   0.8
  8.|-- ae4.cs2.dca2.us.eth.zayo.com                  0.0%    20   44.5  45.2  44.4  55.9   2.5
  9.|-- ae3.cs2.iah1.us.eth.zayo.com                  0.0%    20   44.5  44.8  44.4  47.8   0.7
 10.|-- ae27.cr2.iah1.us.zip.zayo.com                15.0%    20   38.6  39.4  38.6  47.4   2.1
 11.|-- ae2.mpr2.aus1.us.zip.zayo.com                 0.0%    20   50.5  47.4  44.3  76.8   7.2
 12.|-- ae4.er1.aus3.us.zip.zayo.com                  0.0%    20   44.4  44.4  44.3  44.4   0.0
 13.|-- 64.125.192.114.IPYX-082035-002-ZYO.above.net  0.0%    20   46.3  47.5  46.3  62.9   3.8
 14.|-- 208.91.197.91

Thank you

4

Hi @linuxero,

Thanks for providing that MTR. I think you might have a problem with your DNS resolution. The IP that you are resolving for the Let’s Encrypt ACME API (208.91.197.91) is incorrect.

Worse, when I look up this IP in Google SafeBrowsing it’s flagged as an unsafe website!.

Can you verify that your DNS is configured properly? You may want to investigate whether you have malicious software redirecting DNS to harmful websites :-X

Hope that helps,

1 Like
5

Hi cpu;

Thank you very much. I changed the DNS server and now my certificates are renewed :slight_smile:

That solved my problem.

I now have to investigate the malicious DNS server.

Thanks again

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.