Http-01 Connection refused

My domain is: webshop.janmager.keurslager.nl

I ran this command: docker run --rm -p 33586:80 -v /home/dokku/production/letsencrypt/keurslager/certs/0dda13b219cdb232b54a080da52c7390adfdd5a7:/certs dokkupaas/letsencrypt-simp_le:latest -f account_key.json -f fullchain.pem -f chain.pem -f cert.pem -f key.pem --valid_min 2592000 --server https://acme-v01.api.letsencrypt.org/directory --email my@email.com --tos_sha256 cc88d8d9517f490191401e7b54e9ffd12a2b9082ec7a1d4cec6101f9f1647e7b -d webshop.janmager.keurslager.nl

It produced this output:
Challenge validation has failed, see error log.
Error log: https://gist.github.com/yourivdlans/0c485c3c8c32715cbf07b20ec7a78d54

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:
tilaa.nl

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I’m using dokku-letsencrypt which in turn uses a docker image called simp_le (https://github.com/kuba/simp_le) to issue certificates.

Lately I’m unable to request new certificates due to an error and I’m not able to figure out why.
My architecture is as follows:

HAproxy (server1) -> nginx (server2) -> Puma webserver (server2 inside docker)

Strangely enough requesting a certificate using the staging api works. I hope someone can push me in the right direction!

Thanks :slight_smile:

Hi @yourivdlans

you have ipv4 and ipv6 addresses (checked with https://check-your-website.server-daten.de/?q=webshop.janmager.keurslager.nl ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
webshop.janmager.keurslager.nl A 91.213.195.54 yes 1 0
AAAA 2a02:2770:3:0:21a:4aff:fe6d:afbe yes
www.webshop.janmager.keurslager.nl Name Error yes 1 0

Your ipv4 works. But your ipv6 doesn’t.

Domainname Http-Status redirect Sec. G
http://webshop.janmager.keurslager.nl/
91.213.195.54 301 https://webshop.janmager.keurslager.nl:443/ 0.033 A
http://webshop.janmager.keurslager.nl/
2a02:2770:3:0:21a:4aff:fe6d:afbe -2 1.064 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a02:2770:3:0:21a:4aff:fe6d:afbe]:80
https://webshop.janmager.keurslager.nl/
91.213.195.54 200 6.636 I
https://webshop.janmager.keurslager.nl/
2a02:2770:3:0:21a:4aff:fe6d:afbe -2 1.043 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a02:2770:3:0:21a:4aff:fe6d:afbe]:443
https://webshop.janmager.keurslager.nl:443/ 200 9.236 I
http://webshop.janmager.keurslager.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
91.213.195.54 301 https://webshop.janmager.keurslager.nl:443/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.033 A
Visible Content: 301 Moved Permanently nginx
http://webshop.janmager.keurslager.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a02:2770:3:0:21a:4aff:fe6d:afbe -2 1.043 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a02:2770:3:0:21a:4aff:fe6d:afbe]:80
Visible Content:
https://webshop.janmager.keurslager.nl:443/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 7.826 A
Not Found

Checking port 80 + /.well-known/acme-challenge, ipv4 is ok (http status not found), ipv6 looks like a firewall.

But Letsencrypt prefers ipv6, so this is critical.

Two options:

  • Remove the ipv6 AAAA in your dns settings (or)
  • check, if there is a firewall, open that, check, if there is a correct answer.

This message

K http://webshop.janmager.keurslager.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 91.213.195.54, Status 301
http://webshop.janmager.keurslager.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a02:2770:3:0:21a:4aff:fe6d:afbe, Status -2
configuration problem - different ip addresses with different status

shouldn’t be visible.

So change your configuration and recheck your domain.

Ah I see! Thanks for the quick reply.

1 Like

My HAproxy was not bound to ipv6, fixing that solved the issue. Thanks again!

Yep, now you have a new certificate:

	12.03.2019
	10.06.2019
expires in 90 days	webshop.dijkstra.keurslager.nl, 
webshop.eetwinkelstronkhorst.keurslager.nl, webshop.floresteijn.keurslager.nl, 
webshop.janmager.keurslager.nl, webshop.jongenotter.keurslager.nl, 
webshop.looman.keurslager.nl, webshop.mellegers.keurslager.nl, 
webshop.pouwalmere-stad.keurslager.nl, webshop.vanelteren.keurslager.nl - 9 entries

And I’ve found a bug in my tool, so something like

style="background-image: url('picture.jpg')"

wasn’t parsed correct.

Is now fixed.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.