Http-01 challenge fails with Connection refused

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
riffa.se and 9 more

I ran this command:
certbot renew --dry-run -v
--config-dir /config/etc/letsencrypt
--work-dir /config/var/lib/letsencrypt
--logs-dir /config/log/letsencrypt

It produced this output:
Processing /config/etc/letsencrypt/renewal/riffa.se.conf

Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Running pre-hook command: /config/etc/letsencrypt/renewal-hooks/pre/10-nginx
Simulating renewal of an existing certificate for riffa.se and 9 more
Performing the following challenges:
http-01 challenge for bilder.bstation.se
http-01 challenge for bstation.se
http-01 challenge for joplin.riffa.se
http-01 challenge for riffa.se
http-01 challenge for www.bstation.se
http-01 challenge for www.riffa.se
http-01 challenge for www.zebrabild.se
http-01 challenge for www.zebrabilder.se
http-01 challenge for zebrabild.se
http-01 challenge for zebrabilder.se
Using the webroot path /www for all unmatched domains.
Waiting for verification...
Challenge failed for domain bilder.bstation.se
Challenge failed for domain bstation.se
Challenge failed for domain joplin.riffa.se
Challenge failed for domain riffa.se
Challenge failed for domain www.bstation.se
Challenge failed for domain www.riffa.se
Challenge failed for domain www.zebrabild.se
Challenge failed for domain www.zebrabilder.se
Challenge failed for domain zebrabild.se
Challenge failed for domain zebrabilder.se
http-01 challenge for bilder.bstation.se
http-01 challenge for bstation.se
http-01 challenge for joplin.riffa.se
http-01 challenge for riffa.se
http-01 challenge for www.bstation.se
http-01 challenge for www.riffa.se
http-01 challenge for www.zebrabild.se
http-01 challenge for www.zebrabilder.se
http-01 challenge for zebrabild.se
http-01 challenge for zebrabilder.se

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: bilder.bstation.se
Type: connection
Detail: 158.174.67.124: Fetching http://bilder.bstation.se/.well-known/acme-challenge/tWngrlqjIzLuu5_XFJW4EeUllP4jD0FdobdWwJS_fqs: Connection refused

Domain: bstation.se
Type: connection
Detail: 158.174.67.124: Fetching http://bstation.se/.well-known/acme-challenge/D__3pw2lL9h_eheaHpvs3oZmSwg7OITyzqrdyuz7LRY: Connection refused

Domain: joplin.riffa.se
Type: connection
Detail: 158.174.67.124: Fetching http://joplin.riffa.se/.well-known/acme-challenge/otxi4onyb_KaVlOAdxH7Qj8a8UlYm-HUW7PUo9vWlWQ: Connection refused

Domain: riffa.se
Type: connection
Detail: 158.174.67.124: Fetching http://riffa.se/.well-known/acme-challenge/iAP1NrgXCDEwiZWPt1dfLJkhdOQB3e6IyFRa7xMVEN0: Connection refused
...

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Failed to renew certificate riffa.se with error: Some challenges have failed.

All simulated renewals failed. The following certificates could not be renewed:
/config/etc/letsencrypt/live/riffa.se/fullchain.pem (failure)

My web server is (include version):
nginx version: nginx/1.28.0

The operating system my web server runs on is (include version):
Swag docker on unraid

My hosting provider, if applicable, is:
Bahnhof - sweden

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 5.2.2

All domains fail with connection refused, have tested them all from letsdebug.net succesful.
created a ping file and can access it from the outside:
C:\Users\bbbkada>curl -I http://riffa.se/.well-known/acme-challenge/ping
HTTP/1.1 200 OK
Server: nginx
...

this certificate has worked before, but not anymore.

running https redirects with exceptions for /.well-known/... on all domains

server {
listen 80;
server_name riffa.se www.riffa.se;

location ^~ /.well-known/acme-challenge/ {
    root /www;
    try_files $uri =404;
    default_type "text/plain";
    access_log off;
    log_not_found off;
}

location / {
    return 301 https://$host$request_uri;
}

}

/bbbkada

2

Most likely you are blocking the requests either based on geographic location or user agent.

2 Likes
3

Not that I know of !?
using a ASUS-WRT Merlin router with all intellegent filterering off.
Wouldn't letsdebug.net detect that ?

4

Hi @bbbkada ,

I can reach your ping URL from a number of hosts in the UK and US without any issues (and I get "OK" as the response). Requests to .well-known/acme-challenge/ get 404 errors and requests to other paths get 301s as you described. So that all looks okay. I tried with a number of different user-agent headers too.

"Connection refused" says the TCP connection is being actively rejected, rather than just ignored.

Are you able to run a tcpdump on the container that's running nginx (or the machine that's hosting the container)? Might be worth running this (replace interface with the correct interface name) in a separate shell while you run certbot:

tcpdump -n -i interface tcp port 80 or tcp port 443 or icmp

and seeing what comes in. The TCP rules obviously will pick up HTTP and HTTPS, ICMP will let us see if the connections are being rejected in a particular way.

2 Likes
5

found this pre-hook, guess that explains why the container OS resets the requests ?

root@2c4728d768bc:/config/etc/letsencrypt/renewal-hooks/pre# cat 10-nginx
#!/usr/bin/with-contenv bash

shellcheck shell=bash

shellcheck source=/dev/null

. /config/.donoteditthisfile.conf

if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
if pgrep -f "nginx:" >/dev/null; then
s6-svc -d /run/service/svc-nginx
fi
fi

Standard pre-hook in swag container.
I tried a renewal and it works just fine now !

6

Yeah, if it's stopping nginx (and presumably restarting it in a post-renewal hook?) that would explain a lot. Well spotted :slight_smile: Glad to hear it's working again.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.