Connection refused with certbot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ixpm.kosix.net

I ran this command: sudo certbot --apache

It produced this output:

My web server is (include version):
Apache/2.4.41

The operating system my web server runs on is (include version):

  • Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

3 Likes

Your site isn't accessible through port 80, which is required for the http-01 challenge. Please open port 80 in any firewall and/or (NAT) router.

5 Likes

From the "Connection Refused" message that is displayed below the URL you've partially redacted, it looks like your apache server is not listening to port 80, and using a different port?

If so, you need to open port 80 on your firewall (and forward ports if applicable with your router / network configuration), and modify the Apache site configuration to listen to port 80.

Once you're issued a certificate, you can switch back to your standard port. The same issue of "Connection Refused" will appear when you attempt to renew the certificate, though. You'll need to repeat the port alterations each time the certificate needs to be renewed.

Now, there is the DNS-01 validation method that requires you to add a TXT DNS record to your domain name. Instead of using a file challenge validation on your server, a DNS query will be made to compare the token in the TXT DNS record on your domain with what Certbot provided. This is only supported on a select number of domain name providers.
More information: https://certbot.eff.org/docs/using.html?highlight=dns#dns-plugins.

3 Likes

The standard recommendation from Let's Encrypt is that (if you're using HTTP-01 challenges) you should keep port 80 open all the time.

6 Likes

@ooobii

Welcome to the Let's Encrypt Community, Matthew :slightly_smiling_face:

A reasonable thought, but the last line is not technically true. Automated DNS changes of TXT records are only supported by certain providers. You can always use --manual --preferred-challenges dns then manually change the TXT record(s). You can instead use scripts with --manual-auth-hook and --manual-cleanup-hook to effectively build your own DNS plugin if your DNS provider provides a DNS update API that certbot currently doesn't support natively.

5 Likes

And

If your ISP allows port 53 (TCP & UDP), you could permanently delegate the DNS challenges to your own IP (even to DDNS IPs - via CNAME).
Which means when your DSP (DNS Service Provider) doesn't support API updates, you could do them yourself - (without having to be a DNS expert) with something like: ACME-DNS

READERS: Get involved and participate: If you read something you like, then click to like it :heart:

4 Likes

Thank you, Griffin! Glad to become a part of it :smile: thanks for the DNS tip!

Good find, @petercooperjr: LetsEncrypt standards state that port 80 must be accessible at all times for HTTP-01 challenges.

4 Likes

Dear All,

Problem is resolved.
We had to open port 80 in our Router to regenerate certificate.

Thank you all for support

4 Likes

Thank you, this resolved the problem!

4 Likes

:partying_face:

Glad you got it working (and that the final solution turned out to be straightforward and relatively painless)!

3 Likes