Connection refused server could not connect to the client to verify the domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bardhome.de

I ran this command: certbot renew bardhome.de

It produced this output:
[ letsencrypt ] (Fri Mar 5 21:08:39 CET 2021)
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bardhome.de
Using the webroot path /var/www/nextcloud for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. bardhome.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://bardhome.de/.well-known/acme-challenge/TO5r8JDwRFKyLGQsE5oUqPgRcDZiMcQxd7BxdSROVGE: Connection refused
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: bardhome.de
Type: connection
Detail: Fetching
http://bardhome.de/.well-known/acme-challenge/TO5r8JDwRFKyLGQsE5oUqPgRcDZiMcQxd7BxdSROVGE:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version): apache

The operating system my web server runs on is (include version): debian

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes, nextcloudpi

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Hi @Simon2020,

I also see a connection refused when trying to connect to http://bardhome.de/. Is it possible that you've shut down your web server for some reason, or that you have a firewall that prevents incoming connections from the rest of the Internet?

1 Like

Strange, traceroute seems to work. Also from local IP I can access the server (SSH also working).
It worked for several years, now not anymore. I have not change anything, but nextcloudpi updates itself. Probably there something changed, but I cannot figure out what. I have not setup some sort of firewall.

The system and the router tell me the port should be open:

But some portscanner says its closed, strange...

When running a normal traceroute to your host, I'm getting a "Code: 13 (Communication administratively filtered)" ICMP error as an answer:

osiris@desktop ~ $ traceroute bardhome.de
traceroute to bardhome.de (79.244.37.18), 30 hops max, 60 byte packets
(...)
 5  asd-s8-rou-1041.NL.as286.net (134.222.94.216)  15.299 ms  15.307 ms  15.994 ms
 6  ae11-100-cr5-ams1.ipv4.gtt.net (194.122.122.98)  16.581 ms  16.595 ms ae16-100-cr6-ams1.ipv4.gtt.net (194.122.122.102)  17.366 ms
 7  ae27.cr1-fra2.ip4.gtt.net (89.149.181.254)  23.749 ms  15.669 ms  16.291 ms
 8  80.157.204.65 (80.157.204.65)  16.448 ms  17.277 ms  18.040 ms
 9  p5b17dea1.dip0.t-ipconnect.de (91.23.222.161)  23.880 ms  24.514 ms  24.939 ms
10  p4ff42512.dip0.t-ipconnect.de (79.244.37.18)  30.559 ms !X  31.685 ms !X  31.927 ms !X
osiris@desktop ~ $

Those ICMP packets are originating from YOUR IP address, so something on your host is generating them, most likely a firewall.

If I'm tracing to TCP port 80, I'm getting a different error: "Code: 1 (Host unreachable)"

osiris@desktop ~ $ sudo traceroute -T -p 80 bardhome.de
traceroute to bardhome.de (79.244.37.18), 30 hops max, 60 byte packets
(...)
 5  asd-s8-rou-1041.NL.as286.net (134.222.94.216)  12.936 ms  13.736 ms  13.741 ms
 6  ae16-100-cr6-ams1.ipv4.gtt.net (194.122.122.102)  14.698 ms  15.039 ms  14.997 ms
 7  ae27.cr1-fra2.ip4.gtt.net (89.149.181.254)  21.670 ms  15.962 ms  16.750 ms
 8  80.157.204.65 (80.157.204.65)  16.309 ms  16.632 ms  18.591 ms
 9  p5b17dea1.dip0.t-ipconnect.de (91.23.222.161)  23.859 ms  23.685 ms  24.274 ms
10  p4ff42512.dip0.t-ipconnect.de (79.244.37.18)  29.434 ms  30.605 ms  30.619 ms
11  p4ff42512.dip0.t-ipconnect.de (79.244.37.18)  3023.475 ms !H  3023.807 ms !H  3023.492 ms !H
osiris@desktop ~ $

Without nowing your exact setup, this is hard to debug. I'm seeing a docker0 interface, are you running Nextcloud in a Docker container?

Also, this probably isn't the best Community to ask this, as this most likely isn't certbot related at all, but a generic networking issue.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.