Creating certificate refused

I’m having a curious problem. I set up a Raspberry with Nextcloud and letsencrypt certificate. For that I created a DynDNS domain at goip.de everything worked fine.

Then I installed a second Nextcloud/letsencrypt behind a different router on a QNAP Server with a different DynDNS, also from goip.de. This also worked fine. After that I wanted to move Nextcloud t another Raspberry. So I deinstalled it on the QNAP and set up the Raspeberry in the same way as Raspi No.1. In this case, however, I cannot create a lewtsencrypt certificate, even if I try to install it at the same HW and System-config as Raspi No.1. I checked and recked the DynDNS settings anf port forwardings.

I don’t know where to look next. Is there any help?

This is my comand at the raspberry and the error report:

/var/www $ sudo certbot certonly --webroot -w /var/www/html/ -d xxxxxxx.goip.de -m e.-m.xxxxxxx@web.de --agree-tos

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxxxxx.goip.de
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. xxxxxxx.goip.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxxxxxx.goip.de/.well-known/acme-challenge/iyrvSu88b-IhxcFFQ997ddm6WQW63TGrvzoDCGYLykk: Connection refused

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: xxxxxxx.goip.de
    Type: connection
    Detail: Fetching
    http://xxxxxxx.goip.de/.well-known/acme-challenge/iyrvSu88b-IhxcFFQ997ddm6WQW63TGrvzoDCGYLykk:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Hi @quasimodoz

please share your domain name.

PS: You need an open and working port 80. Refused -> something is wrong.

2 Likes

Most likely your router is blocking these inbound connections - perhaps the port forwarding isn’t working as intended? Do you have an external server from which you can try to connect to your host? That’s the only way to be really sure the port forwarding is correct.

@jsha Hi. Thanks for your reply.

It’s strange because

  1. this configuration with exactly the same HW and port forwardings
    — using the DynDNS yyy.goip.de is o.k,
    — but not with DynDNS xxx.goip.de.
    (In addition I set up a different DynDNS zzz.goip.de and used the same router/Hw configuration . This also failed to setting up letsencrypt.)

2 using a different router also fails using the DynDNS xxx.goip.de, BUT a setup on this configuration with a QNAP server, Nextcloud and letsencrypt using DynDNS xxx.goip is working.

And yes, I can ping xxx.goip.de in the net and yes, I checked port forwarding 443 and 80 for the relevant device.

So I’m completely lost.

It’s tough for us to help diagnose your problems without knowing the exact hostnames. If you share the exact hostnames, other folks on the forum can try various diagnostic tools to make sure you’re domain’s set up right.

@jsha
Hi,
in the meantime I tried a lot of verifications and all failed, even when using the exact same parts as before. So I set up a quite new DynDNS account and checked again, with also no success. Below is my command:
sudo certbot certonly --webroot -w /var/www/html/ -d ejk.goip.de -m xxx@gmx.de --agree-tos
You can see the hostname there.

Funny enough, the command
curl -v http://ejk.goip.de/.well-known/acme-challenge/ngUWYrWoFEES97O0CGskiusoSVlHg40aLUe6_M-RzHU

produces the error message:
*
*
* Expire in 14 ms for 1 (transfer 0xbc6b0)
* Trying 84.57.240.177… [This is my current IPV4 address]
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xbc6b0)
* connect to 84.57.240.177 port 80 failed: Verbindungsaufbau abgelehnt [english: connection refused]
* Failed to connect to ejk.goip.de port 80: Verbindungsaufbau abgelehnt
* Closing connection 0
curl: (7) Failed to connect to ejk.goip.de port 80: Verbindungsaufbau abgelehnt

This is not the case in my working configuration on same HW, ports etc.

If you are going to test something on this DynDNS, there might be the problem, that the server is not always on-line and further, the IP-Address is changing daily between 5:00 and 6:00 a.m. GMT. However, I will try to have it on-line permanently.

Hi @quasimodoz

that ( https://check-your-website.server-daten.de/?q=ejk.goip.de )

Domainname Http-Status redirect Sec. G
http://ejk.goip.de/
84.57.240.177 -2 1.110 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 84.57.240.177:80
https://ejk.goip.de/
84.57.240.177 -2 1.140 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 84.57.240.177:443
http://ejk.goip.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
84.57.240.177 -2 1.220 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 84.57.240.177:80

looks like a blocking firewall.

A working port 80 is required to create a certificate via http-01 validation.

Hi JuergenAuer

That’s exactly my strange problem. If I use exactly the same HW etc., but an image of an earlier configuration on the Raspi SD card, portscan will find port 80 and 443 open, but not on any later build. B.t.w, I’m preparing the Raspi from this tutorial https://canox.net/2016/06/die-eigene-cloud-mit-dem-raspberry-pi-und-nextcloud/. If I use my old DynDNS it works fine (including the open ports), if I use any other xxx.goip DynDNS work stops at the command
sudo certbot certonly --webroot -w /var/www/html/ -d ejk.goip.de -m xxx@gmx.de --agree-tos

I really don’t know what to do next.

Then you have to find that configuration and change it.

Use the online too to test, if port 80 works.

Or use dns-01 validation with the --manual option, that should always work.

Hi,
sorry, I really don’t understand your advice (I’m not a real Linux guru).
What I did, was that I took the original image and changed the DynDSN names in the file
/etc/nginx/sites-enabled/default
and in the command line for starting letsencrypt But this didn’t work either.

1 Like

What have the DnyDNS to do with your local configuration?

You have DNS entries

Host T IP-Address is auth. ∑ Queries ∑ Timeout
ejk.goip.de yes 2 2
www.ejk.goip.de yes 2 2
ejk.goip.de A 84.57.240.177
Munich/Bayern/DE no

Looks they don’t really work, your authoritative name servers are missing.

Is this - 84.57.240.177 - your current ip address?

Hi JuergenAuer,
concerning the IP-addresses something may be confused right now, because I’m working on the server …

However, I found one interesting point: During the installation process I checked processes on the Raspi. From a certain point on, the nginx process was listet and also port 80 open. Then I had to change the file
/etc/nginx/sites-enabled/default
with my DynDNS names. And from this point on nginx had stopped and port 80 was closed. I think I have to work from this point on. (But I don’t understand, that this set-up procedure worked before and not anymore. This I have to find out first.)

So far, thank you for your help! Have a nice weekend.

1 Like

Then the default configuration is buggy. So nginx doesn’t start.

What says

nginx -T

@ JuergenAuer
Thanks again for your assistance.

After all I found out, that’s NOT A PROBLEM of LETSENCYPT and therefore I will close this topic.

There have been changes in the configuration files for nginx in the sample configuration, which have to be modified.

Thanks again to all contributors.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.