Error Type: connection Detail: Fetching

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: openbooksocial.com

I ran this command:certbot --dry-run certonly

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Nginx Web Server plugin (nginx)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)


Select the appropriate number [1-3] then [enter] (press ‘c’ to cancel): 1
Plugins selected: Authenticator nginx, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel): openbooksocial.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for openbooksocial.com
Waiting for verification…
Challenge failed for domain openbooksocial.com
http-01 challenge for openbooksocial.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: openbooksocial.com
    Type: connection
    Detail: Fetching
    http://openbooksocial.com/.well-known/acme-challenge/eI2sMNZH0hZ-XJwpw625SzdbauGMG5cex5uvVO2hWaI:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): nginx version: nginx/1.17.10 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.0

Additionally, I can confirm that the firewall is inactive:
root@localhost:~# ufw status
Status: inactive
root@localhost:~# certbot --dry-run certonly

Any Pointers would be helpful. Thanks

If it helps : I am trying to install Mastodon https://docs.joinmastodon.org/admin/install/

Server IP 172.104.239.204

Port 80 is not responding at that IP.

The HTTP site must work before the HTTPS site can work.

I think you transcribed the IP address incorrectly:

$ dig +noall +answer openbooksocial.com
openbooksocial.com.     351     IN      A       172.109.239.204

172.104 is correct, 172.109 isn’t.

1 Like

Hi @vivmajor

your webserver doesn’t answer - see https://check-your-website.server-daten.de/?q=openbooksocial.com#url-checks

Domainname Http-Status redirect Sec. G
http://openbooksocial.com/ 172.109.239.204 -14 10.013 T
Timeout - The operation has timed out
https://openbooksocial.com/ 172.109.239.204 -14 10.020 T
Timeout - The operation has timed out
http://openbooksocial.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 172.109.239.204 -14 10.026 T
Timeout - The operation has timed out
Visible Content:
https://172.109.239.204/ 172.109.239.204 -14 10.023 T
Timeout - The operation has timed out

If an online tool can’t connect your webserver, Letsencrypt can’t connect your webserver.

172.109.239.204
Brooklyn/New York/United States (US) - Frontier Communications Corporation
No Hostname found

Is that a home server? Allows your ISP port 80?

Works http internal?

curl http://openbooksocial.com/

from that machine?

1 Like

Hi,
The IP I have given is correct 172.104.239.204. And if you just look for 172.104.239.204 in the broswer, it gives the Nginx default page.
Looks like there is some mixup somewhere.

Running command :
root@localhost:~# curl http://openbooksocial.com

301 Moved Permanently

301 Moved Permanently


nginx/1.17.10 (Ubuntu)

Check your DNS records in Softlayer. You will see that you have 172.109 in your DNS A record (some random FCC IP) rather than 172.104 (your Linode).

Your local curl test notwithstanding (which is probably affected by /etc/hosts on that machine), your A record is incorrect.

1 Like

Hi,
Ok there was some goofup in IP. Now the IP is 172.104.239.204
I did get the certificate.
But now I have problem starting my nginx.

Blockquote
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2020-06-26 05:15:57 UTC; 1min 4s ago
Docs: man:nginx(8)
Process: 16051 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
Jun 26 05:15:57 localhost systemd[1]: Starting A high performance web server and a reverse proxy server…
Jun 26 05:15:57 localhost nginx[16051]: nginx: [emerg] cannot load certificate “/etc/letsencrypt/live/example.com/fullchain.pem”: BIO_new_file() failed (SSL: error>
Jun 26 05:15:57 localhost nginx[16051]: nginx: configuration file /etc/nginx/nginx.conf test failed
Jun 26 05:15:57 localhost systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Jun 26 05:15:57 localhost systemd[1]: nginx.service: Failed with result ‘exit-code’.
Jun 26 05:15:57 localhost systemd[1]: Failed to start A high performance web server and a reverse proxy server.
Blockquote

certbot response:

Blockquote root@localhost# certbot --nginx -d openbooksocial.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for openbooksocial.com
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/mastodon
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.
Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/mastodon
Congratulations! You have successfully enabled https://openbooksocial.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=openbooksocial.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/openbooksocial.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/openbooksocial.com/privkey.pem
    Your cert will expire on 2020-09-24. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Does that REALLY say “example.com” ?
If so, there is your problem.
There is no such cert nor path.
If not, and you just changed it before posting… You missed the real domain in a while lot of other places.
[So I don’t really think this was an intentional “coverup” fail]

1 Like

hi @rg305 No, there is no cover up. Its actually example.com in the output.

In my files I have :

dir /etc/letsencrypt/live/openbooksocial.com/

cert.pem chain.pem fullchain.pem privkey.pem README

Sorry, my bad. Had missed updating site name for letsencrypt setting.

So did you get it working?

My Nginx server is working http://172.104.239.204/
But the server block at https://openbooksocial.com/ with mastodon install, is not redirecting properly.
Any clue would be great. Thanks!

The redirection seems to be looping:

curl -Iki http://openbooksocial.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.17.10 (Ubuntu)
Date: Fri, 26 Jun 2020 07:30:17 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://openbooksocial.com/

curl -Iki https://openbooksocial.com/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.17.10 (Ubuntu)
Date: Fri, 26 Jun 2020 07:30:20 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
Location: https://openbooksocial.com/

HTTP > HTTPS [this is good]
HTTPS > ITSELF [this is bad - endless loop]

Can we see the vhost configs for HTTP and HTTPS?

Thanks.
Can we see the vhost configs for HTTP and HTTPS?

Do you know your way around NGINX?
If not, show the output of:
grep -Eri 'server_name|SSL|listen' /etc/nginx/

Are you using anything like WordPress?

Not Wordpress. Its Mastodon.

root@localhost:/var/www/html# grep -Eri ‘server_name|SSL|listen’ /etc/nginx/
/etc/nginx/fastcgi.conf:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/uwsgi_params:uwsgi_param SERVER_NAME $server_name;
/etc/nginx/nginx.conf: # server_names_hash_bucket_size 64;
/etc/nginx/nginx.conf: # server_name_in_redirect off;
/etc/nginx/nginx.conf: # SSL Settings
/etc/nginx/nginx.conf: ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
/etc/nginx/nginx.conf: ssl_prefer_server_ciphers on;
/etc/nginx/nginx.conf:# listen localhost:110;
/etc/nginx/nginx.conf:# listen localhost:143;
/etc/nginx/fastcgi_params:fastcgi_param SERVER_NAME $server_name;
/etc/nginx/sites-available/mastodon: server_name openbooksocial.com;
/etc/nginx/sites-available/mastodon: listen [::]:443 ssl ipv6only=on; # managed by Certbot
/etc/nginx/sites-available/mastodon: listen 443 ssl; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon: include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
/etc/nginx/sites-available/mastodon: ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
/etc/nginx/sites-available/mastodon:#listen 443;
/etc/nginx/sites-available/mastodon:# listen 443 ssl http2;
/etc/nginx/sites-available/mastodon: # listen [::]:443 ssl http2;
/etc/nginx/sites-available/mastodon:# server_name openbooksocial.com;
/etc/nginx/sites-available/mastodon:# ssl_protocols TLSv1.2 TLSv1.3;
/etc/nginx/sites-available/mastodon: # ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
/etc/nginx/sites-available/mastodon: # ssl_prefer_server_ciphers on;
/etc/nginx/sites-available/mastodon: #ssl_session_cache shared:SSL:10m;
/etc/nginx/sites-available/mastodon:# ssl_certificate /etc/letsencrypt/live/openbooksocial.com/fullchain.pem;
/etc/nginx/sites-available/mastodon: # ssl_certificate_key /etc/letsencrypt/live/openbooksocial.com/privkey.pem;
/etc/nginx/sites-available/mastodon: listen 80;
/etc/nginx/sites-available/mastodon: listen [::]:80;
/etc/nginx/sites-available/mastodon: server_name openbooksocial.com;
/etc/nginx/sites-available/default: listen 80 default_server;
/etc/nginx/sites-available/default: listen [::]:80 default_server;
/etc/nginx/sites-available/default: # server_name openbooksocial.com;
/etc/nginx/sites-available/default: # SSL configuration
/etc/nginx/sites-available/default: # listen 443 ssl default_server;
/etc/nginx/sites-available/default: # listen [::]:443 ssl default_server;
/etc/nginx/sites-available/default: # Note: You should disable gzip for SSL traffic.
/etc/nginx/sites-available/default: # Read up on ssl_ciphers to ensure a secure configuration.
/etc/nginx/sites-available/default: # Self signed certs generated by the ssl-cert package
/etc/nginx/sites-available/default: server_name _;
/etc/nginx/sites-available/default:# listen 80;
/etc/nginx/sites-available/default:# listen [::]:80;
/etc/nginx/sites-available/default:# server_name example.com;
/etc/nginx/snippets/snakeoil.conf:# Self signed certificates generated by the ssl-cert package
/etc/nginx/snippets/snakeoil.conf:ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
/etc/nginx/snippets/snakeoil.conf:ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
/etc/nginx/scgi_params:scgi_param SERVER_NAME $server_name;