Connection Refused on renew

Fili.xacria · July 17, 2023, 9:20am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: xacria.com, xacria.it, www.xacria.com, www.xacria.it

I ran this command: certbot renew -w /var/www/certbot --agree-tos --dry-run -v

It produced this output:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
certbot | Domain: www.xacria.com
certbot | Type: connection
certbot | Detail: 212.47.239.99: Fetching https://xacria.com/.well-known/acme-challenge/2YvOOdb0KSHTjmvEJa6cPBhbJHcF3TBmvPmfSiB5jlA: Connection refused
certbot |
certbot | Domain: xacria.com
certbot | Type: connection
certbot | Detail: 62.149.128.163: Fetching https://xacria.com/.well-known/acme-challenge/n6ATdUMiVbAtn6u697_2ni7ybTzfESskNpUv11sgnko: Connection refused
certbot |
certbot | Domain: www.xacria.it
certbot | Type: connection
certbot | Detail: 212.47.239.99: Fetching https://xacria.com/.well-known/acme-challenge/EWY-FHe355fJeWy91qPRj6V-3uuwHyJ4hwCBV3uVRP8: Connection refused
certbot |
certbot | Domain: xacria.it
certbot | Type: connection
certbot | Detail: 62.149.128.160: Fetching https://xacria.com/.well-known/acme-challenge/sh6_bX1dSPqkOY1GO2WsPbwcwo9TOyWKkB45Q8NH5D8: Connection refused

My web server is (include version): nginx/1.23.4 on docker

The operating system my web server runs on is (include version): Ubuntu 22.04.2 LTS

My hosting provider, if applicable, is: Scaleway

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.5.0

I have some ips registered on DNS A record but only one of this IP have the webserver that I want to use with certbot for certification.

Bruce5051 · July 17, 2023, 3:16pm

Hello @Fili.xacria, welcome to the Let's Encrypt community.

Use the online tool Let's Debug yields these results https://letsdebug.net/xacria.com/1552980; the main message is request to this address over port 80 did not succeed. and more importantly

Server response: HTTP 302 Moved Temporarily
Received redirect to http://www.xacria.com/.well-known/acme-challenge/letsdebug-test

Best Practice - Keep Port 80 Open

The HTTP-01 challenge of the Challenge Types - Let's Encrypt requires Port 80 to be Open. ~~Present the domain is not meeting this requirement.~~

Edit update:
The redirection cause a failure

~$ curl -Ii http://xacria.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Mon, 17 Jul 2023 15:31:39 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: http://www.xacria.com/.well-known/acme-challenge/sometestfile
X-ServerName: redirposta01.ad.aruba.it

$ curl -Ii http://www.xacria.com/.well-known/acme-challenge/sometestfile
curl: (7) Failed to connect to www.xacria.com port 80 after 380 ms: Connection refused

Also note there are 4 IP addresses for xacria.com and only one for wwwxacria.com

$ nslookup xacria.com dns.technorail.com.
Server:         dns.technorail.com.
Address:        94.177.210.13#53

Name:   xacria.com
Address: 62.149.128.166
Name:   xacria.com
Address: 62.149.128.157
Name:   xacria.com
Address: 62.149.128.163
Name:   xacria.com
Address: 62.149.128.160
Name:   xacria.com
Address: 212.47.239.99

$ nslookup www.xacria.com dns.technorail.com.
Server:         dns.technorail.com.
Address:        94.177.210.13#53

Name:   www.xacria.com
Address: 212.47.239.99

Bruce5051 · July 17, 2023, 3:45pm

To help pinpoint the issue https://letsdebug.net/www.xacria.com/1553030 is a run against www.xacria.com

Fili.xacria · July 17, 2023, 4:05pm

Hi,
I resolve with an standalone installation of certbot (instead of docker) and --standalone option.
Thank you for help.

system · August 16, 2023, 4:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.