ECONNREFUSED errors


#1

My domain is: skyjs.net, www.skyjs.net

I ran this command:

node server.js

It produced this output:

Fetching certificate for 'skyjs.net' to use as default for HTTPS server...
[acme-v2] handled(?) rejection as errback:
Error: connect ECONNREFUSED 165.227.37.46:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1097:14)
Error loading/registering certificate for 'skyjs.net':
{ Error: connect ECONNREFUSED 165.227.37.46:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1097:14)
  errno: 'ECONNREFUSED',
  code: 'ECONNREFUSED',
  syscall: 'connect',
  address: '165.227.37.46',
  port: 80 }

(node:19962) UnhandledPromiseRejectionWarning: Error: connect ECONNREFUSED 165.227.37.46:80
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1097:14)
(node:19962) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:19962) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

My web server is (include version):

node script

The operating system my web server runs on is (include version):

centos

My hosting provider, if applicable, is:

easydns

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

lgreenlock-express

My script

'use strict';

require('greenlock-express').create({
  version:'draft-11',
 server:'https://acme-staging-v02.api.letsencrypt.org/directory',
 // server:'https://acme-v02.api.letsencrypt.org/directory',
  email: 'info@mail.jacob-bogers.com'     // The email address of the ACME user / hosting provider
, agreeTos: true                    // You must accept the ToS as the host which handles the certs
, approvedDomains: ['skyjs.net','www.skyjs.net']
, configDir: '~/.config/acme/'      // Writable directory where certs will be saved
, communityMember: true             // Join the community to get notified of important updates
, telemetry: true                  // Contribute telemetry data to the project

  // Using your express app:
  // simply export it as-is, then include it here
, app: function (req, res) {
  res.setHeader('Content-Type', 'text/html; charset=utf-8')
  res.end('Hello, World!\n\nđź’š đź”’.js');
}

//, debug: true
}).listen(8080, 8081);

#2

Does that part mean the client will listen on port 8080 and 8081 for the challenge? Because Let’s Encrypt can only use port 80 for the http-01 challenge and port 443 for the tls-alpn-01 challenge.


#3

Hi @jacobbogers

your domain is invisible ( https://check-your-website.server-daten.de/?q=skyjs.net ):

Domainname Http-Status redirect Sec. G
• http://skyjs.net/
165.227.37.46 -2 1.337 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 165.227.37.46:80
• http://www.skyjs.net/
165.227.37.46 -2 1.330 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 165.227.37.46:80
• https://skyjs.net/
165.227.37.46 -2 1.330 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 165.227.37.46:443
• https://www.skyjs.net/
165.227.37.46 -2 1.336 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 165.227.37.46:443
• http://skyjs.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
165.227.37.46 -2 1.324 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 165.227.37.46:80
Visible Content:
• http://www.skyjs.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
165.227.37.46 -2 1.327 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 165.227.37.46:80
Visible Content:

Is there a firewall or something else that blocks?

PS: Checked port 8080 - same picture. But you can’t use port 8080.


#4

Port 80 is mapped to 8080 and port 443 is mapped to 8081, because if you are not a linux root user you cannot bind to ports lower then 1024, ok i will replace with simple http server and check that at least my firewall etc is allowing port 80 and 443 to connect (including working mapping)


#5

That’s one reason that certificate authorities are required to check on the low port numbers—only the system administrator (who can bind to these low ports) is allowed to obtain certificates for a system! (That, in turn, is because there are many shared hosting environments in which multiple customers point their domain names at a single server. One customer shouldn’t be able to request a certificate for a different customer’s domain in this scenario.)


#6

Mmm I will remove mapping and test , as root, against these ports.


#7

Yes removing mapping could help…It worked with me also.Try it…It should work.


#8

Lauren77, thank you, i removed the mapping (listen on 80 and 443) and everything works))

thank everybody in this thread for contributing their 2cts