Failed authorization procedure

Hi everyone,

I try to renew my certificate without success. My webserver is glassfish but I stop it during the renew process to free the port 80.

It seem that Let's encrypt can't access my port 80 but i can't find what is blocking.
Here you can find iptables -L result :
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt

What else can I try ?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://plan-prevention.fr

I ran this command: certbot certonly --standalone -d plan-prevention.fr -d www.plan-prevention.fr

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for plan-prevention.fr
http-01 challenge for www.plan-prevention.fr
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.plan-prevention.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.plan-prevention.fr/.well-known/acme-challenge/c1Txy_t2lzYHL-1p4hpa4gmC679vd5jGfbV63vKf2Kc: Connection refused, plan-prevention.fr (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://plan-prevention.fr/.well-known/acme-challenge/S9-VSeN5LPAd6Ca07W20bF1iLi_L25LlPgjdWwUxuUs: Connection refused

IMPORTANT NOTES:

My web server is (include version): Glassfish 5.0.1

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.28.0

And if you actually do start your webserver, can you connect to it then, remotely?

If I start it I get the following error :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for plan-prevention.fr
http-01 challenge for www.plan-prevention.fr
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

Yes, that's to be expected and was not what I asked.

I wanted to know if your port 80 is accessible at all, for example, when your webserver is running.

Also, allowing port 80 on your OUTPUT iptables table is obviously a good idea (to allow your server to access remote webservers), but doesn't influence incoming HTTP access such as these authorization requests by Let's Encrypt.

I start the webserver and it seem port 80 is not accessible (http://plan-prevention.fr return an error in my browser)

Well, that's something you have to fix first then. :slight_smile: Or use the dns-01 challenge, but I recommend keeping port 80 working too, so I suggest to fix port 80.

1 Like

What can i try to fix this ?

  • Find any possible other factor blocking port 80 such as another firewall (ISP/hosting provider), NAT router without a portmap, such things.
  • Is something listening on port 80 locally? netstat -nap | grep :80
  • Does it listen on the same IP address as port 443 (which is working)

A few things you might look into.

root@pdep_server1:~# ufw status
Status: inactive

root@pdep_server1:~# netstat -nap | grep :80
root@pdep_server1:~#

(after stopping the web server)

Well, of course there isn't anything listening if you stop the webserver..................

It's the configuration of teh server when I execute cervbot.

With the server running :
root@pdep_server1:~# netstat -nap | grep :80
tcp6 0 0 :::80 :::* LISTEN 3485/java

Still getting a "connection refused". Output of netstat doesn't look weird at all, should work.

Although I can't connect to port 443 now either, did you stop it again?

In any case, a working port 80 is required for the http-01 challenge. Alternatively you can use the dns-01 challenge, but that might require a little effort to set up automated, depending on your DNS provider.

I just start it again :
root@pdep_server1:~# netstat -nap | grep :80 tcp6 0 0 :::80 :::* LISTEN 5165/java
tcp6 0 0 51.83.37.116:21 149.3.170.6:80 SYN_RECV -

I can see port 443 working again, but port 80 is still refusing to connect to.

See my previous post. Port 80 needs to work for the http-01 challenge. I'm afraid I don't know any other things for you to check. A $ sudo traceroute -T -p 80 plan-prevention.fr goes all the way to the IP address of your router, so it really looks like it's your server that is blocking the connection somehow.

Perhaps some other re-routing of your port 80? In your router perhaps? Did you map port 80 externally to some other port internally? Or perhaps to the wrong internal IP address?

It seems that their is no firewall or port redirection on my webhosting service

This level of debugging is above my "paygrade" (as a volunteer :stuck_out_tongue_winking_eye:), sorry.

I would double check your OVH Control Panel (Network Firewall) again https://docs.ovh.com/gb/en/dedicated/firewall-network/

1 Like

Did your hosting provider decide to start blocking port 80?
Did you change your firewall settings since your last renewal?

I just checked and their is no firewall activated on OVH control Panel.
I didn't change any settings since my last renewal :confused: .

And yet, I get an immediate reject:

curl -Iki http://plan-prevention.fr/
curl: (7) Failed to connect to plan-prevention.fr port 80: Connection refused