Connection Refused when running certbot

fish-guts · January 7, 2021, 8:55pm

I cannot get certbot to run through. Whenever I tried to issue a new certificate, i'll get a "connection refused" error upon all challenges.

My domain is: icechat.ch

I ran this command:
sudo certbot certonly --standalone -d icechat.ch -d www.icechat.ch -d irc.icechat.ch
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for icechat.ch and 2 more domains
Performing the following challenges:
http-01 challenge for icechat.ch
http-01 challenge for irc.icechat.ch
http-01 challenge for www.icechat.ch
Waiting for verification...
Challenge failed for domain icechat.ch
Challenge failed for domain irc.icechat.ch
Challenge failed for domain www.icechat.ch
http-01 challenge for icechat.ch
http-01 challenge for irc.icechat.ch
http-01 challenge for www.icechat.ch
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: icechat.ch
   Type:   connection
   Detail: Fetching
   http://icechat.ch/.well-known/acme-challenge/hT2oAFuuriJpRK-_HUfRW3ymvVHQa1Tz1FSDASDEL8w:
   Connection refused

   Domain: irc.icechat.ch
   Type:   connection
   Detail: Fetching
   http://irc.icechat.ch/.well-known/acme-challenge/4g1Xt4kuRDPnAFei_vdwV_tEeYR71tnt8_4rPHBoMVI:
   Connection refused

   Domain: www.icechat.ch
   Type:   connection
   Detail: Fetching
   http://www.icechat.ch/.well-known/acme-challenge/CN8UZ8eMMBy0cxdzqhu8SjdvjJvj0M_STvWG6KhcJmk:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): tomcat 9.0.41

The operating system my web server runs on is (include version): Debian 10

My hosting provider, if applicable, is: hetzner.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.11.0

Server is stopped, and ports are open. ufw status output:

sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
22                         ALLOW       Anywhere                  
6667                       ALLOW       Anywhere                  
6697                       ALLOW       Anywhere                  
8843                       ALLOW       Anywhere                  
8000                       ALLOW       Anywhere                  
WWW                        ALLOW       Anywhere                  
8080                       ALLOW       Anywhere                  
8443                       ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                    ALLOW       Anywhere                  
80,443/tcp                 ALLOW       Anywhere                  
22/tcp (v6)                ALLOW       Anywhere (v6)             
22 (v6)                    ALLOW       Anywhere (v6)             
6667 (v6)                  ALLOW       Anywhere (v6)             
6697 (v6)                  ALLOW       Anywhere (v6)             
8843 (v6)                  ALLOW       Anywhere (v6)             
8000 (v6)                  ALLOW       Anywhere (v6)             
WWW (v6)                   ALLOW       Anywhere (v6)             
8080 (v6)                  ALLOW       Anywhere (v6)             
8443 (v6)                  ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
80/tcp (v6)                ALLOW       Anywhere (v6)             
443/tcp (v6)               ALLOW       Anywhere (v6)             
80,443/tcp (v6)            ALLOW       Anywhere (v6)

The domain is pointing to the correct IP address and other server using the same provider produced no issues.

What else can I check to get my certificate?

Thanks for any pointers.

rg305 · January 7, 2021, 9:43pm

iptables --list

fish-guts · January 7, 2021, 9:49pm

sudo iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination         
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251          udp dpt:mdns
ACCEPT     udp  --  anywhere             239.255.255.250      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-track-forward (1 references)
target     prot opt source               destination         

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] "

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] "

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:22
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ircd
ACCEPT     udp  --  anywhere             anywhere             udp dpt:6667
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ircs-u
ACCEPT     udp  --  anywhere             anywhere             udp dpt:6697
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8843
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8843
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8000
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8000
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http /* 'dapp_WWW' */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     udp  --  anywhere             anywhere             udp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8443
ACCEPT     udp  --  anywhere             anywhere             udp dpt:8443
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             anywhere             udp dpt:80
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             multiport dports http,https

Chain ufw-user-output (1 references)
target     prot opt source               destination         

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere

rg305 · January 7, 2021, 9:58pm

Try running:
tcpdump port 80

And see if you actually get any http packets.
If not, your ISP may be blocking port 80.

JuergenAuer · January 7, 2021, 10:19pm

Hi @fish-guts

--standalone is hard to debug, there is no running webserver.

But

http://icechat.ch/

doesn't answer, instead, there is a blocking answer (firewall, htaccess, failban etc.).

So create and start a webserver, then you can use online tools to test your configuration. If online tools can't connect your website, Letsencrypt can't check your domain name via http validation.

fish-guts · January 8, 2021, 6:43am

Hi JuergenAuer

I switched off the webserver before running certbot

If Tomcat is running, the site is available, on all configured ports. tcpdump port 80 show the following output:

sudo tcpdump port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
07:38:39.308326 IP ***.37028 > ***.http: Flags [S], seq 3342630620, win 64240, options [mss 1440,sackOK,TS val 2479407215 ecr 0,nop,wscale 7], length 0
07:38:39.308456 IP ***.http > ***.37028: Flags [R.], seq 0, ack 3342630621, win 0, length 0
07:38:39.628536 IP ***.37030 > ***r.de.http: Flags [S], seq 247779336, win 64240, options [mss 1440,sackOK,TS val 2479407536 ecr 0,nop,wscale 7], length 0

rg305 · January 8, 2021, 7:55am

This is good news - your ISP is NOT blocking port 80 (that would have been an insurmountable problem).
But it is still strange why this fails...
Please show:
netstat -pant | grep -i listen
[while TOMCAT is running]

fish-guts · January 8, 2021, 8:32am

netstat -pant | grep -i listen
tcp        0      0 0.0.0.0:6697            0.0.0.0:*               LISTEN      20343/unrealircd    
tcp        0      0 0.0.0.0:6667            0.0.0.0:*               LISTEN      20343/unrealircd    
tcp        0      0 0.0.0.0:6900            0.0.0.0:*               LISTEN      20343/unrealircd    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      707/sshd            
tcp6       0      0 :::6697                 :::*                    LISTEN      20343/unrealircd    
tcp6       0      0 :::6667                 :::*                    LISTEN      20343/unrealircd    
tcp6       0      0 :::8080                 :::*                    LISTEN      31441/java          
tcp6       0      0 :::6900                 :::*                    LISTEN      20343/unrealircd    
tcp6       0      0 :::22                   :::*                    LISTEN      707/sshd

JuergenAuer · January 8, 2021, 9:00am

Now http://icechat.ch/ works, same with http://icechat.ch/.well-known/acme-challenge/1234.

If possible, use the correct webroot of that Tomcat, not --standalone.

fish-guts · January 8, 2021, 9:05am

Unfortunaely, it's still not working:

sudo certbot certonly --webroot -d icechat.ch -d www.icechat.ch
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for icechat.ch and www.icechat.ch
Performing the following challenges:
http-01 challenge for icechat.ch
http-01 challenge for www.icechat.ch
Input the webroot for icechat.ch: (Enter 'c' to cancel): /opt/tomcat/webapps

Select the webroot for www.icechat.ch:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /opt/tomcat/webapps
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Challenge failed for domain icechat.ch
Challenge failed for domain www.icechat.ch
http-01 challenge for icechat.ch
http-01 challenge for www.icechat.ch
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: icechat.ch
   Type:   unauthorized
   Detail: Invalid response from
   http://icechat.ch/.well-known/acme-challenge/NUUj2A8_TReNpiIzR0GZUXL2T1u5eADq4A9Y6wRrwAE
   [88.99.190.217]: "<!doctype html><html
   lang=\"en\"><head><title>HTTP Status 404 – Not Found</title><style
   type=\"text/css\">body {font-family:Tahoma"

   Domain: www.icechat.ch
   Type:   unauthorized
   Detail: Invalid response from
   http://www.icechat.ch/.well-known/acme-challenge/gFAwbB0OwE_ng3AjGZbCjpUKPHIYq4z7fXzPR5t6YpU
   [88.99.190.217]: "<!doctype html><html
   lang=\"en\"><head><title>HTTP Status 404 – Not Found</title><style
   type=\"text/css\">body {font-family:Tahoma"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

JuergenAuer · January 8, 2021, 9:42am

Then you use the wrong webroot. Change that.

fish-guts · January 8, 2021, 10:18am

Thanks, that did the trick (I wasn't aware that the ROOT directory needs to be specified as well).

Now I successfully created a certificate. I appreciate the help

rg305 · January 8, 2021, 10:44am

I'm glad to hear that you were able to get the cert
It seems that port 80 connects to TOMCAT on port 8080.
I don't know where that translation is happening, but it must be; as the netstat did not show port 80 listening locally and TOMCAT is answering to it from the Internet.

system · February 7, 2021, 10:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.