Http-01 Connection refused

yourivdlans · March 12, 2019, 1:05pm

My domain is: webshop.janmager.keurslager.nl

I ran this command: docker run --rm -p 33586:80 -v /home/dokku/production/letsencrypt/keurslager/certs/0dda13b219cdb232b54a080da52c7390adfdd5a7:/certs dokkupaas/letsencrypt-simp_le:latest -f account_key.json -f fullchain.pem -f chain.pem -f cert.pem -f key.pem --valid_min 2592000 --server https://acme-v01.api.letsencrypt.org/directory --email my@email.com --tos_sha256 cc88d8d9517f490191401e7b54e9ffd12a2b9082ec7a1d4cec6101f9f1647e7b -d webshop.janmager.keurslager.nl

It produced this output:
Challenge validation has failed, see error log.
Error log: https://gist.github.com/yourivdlans/0c485c3c8c32715cbf07b20ec7a78d54

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:
tilaa.nl

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I’m using dokku-letsencrypt which in turn uses a docker image called simp_le (https://github.com/kuba/simp_le) to issue certificates.

Lately I’m unable to request new certificates due to an error and I’m not able to figure out why.
My architecture is as follows:

HAproxy (server1) -> nginx (server2) -> Puma webserver (server2 inside docker)

Strangely enough requesting a certificate using the staging api works. I hope someone can push me in the right direction!

Thanks

JuergenAuer · March 12, 2019, 1:53pm

Hi @yourivdlans

you have ipv4 and ipv6 addresses (checked with https://check-your-website.server-daten.de/?q=webshop.janmager.keurslager.nl ):

Host	T	IP-Address	is auth.	∑ Queries	∑ Timeout
webshop.janmager.keurslager.nl	A	91.213.195.54	yes	1	0
	AAAA	2a02:2770:3:0:21a:4aff:fe6d:afbe	yes
www.webshop.janmager.keurslager.nl		Name Error	yes	1	0

Your ipv4 works. But your ipv6 doesn't.

Domainname	Http-Status	redirect	Sec.	G
• http://webshop.janmager.keurslager.nl/
91.213.195.54	301	https://webshop.janmager.keurslager.nl:443/	0.033	A

• http://webshop.janmager.keurslager.nl/
2a02:2770:3:0:21a:4aff:fe6d:afbe	-2		1.064	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a02:2770:3:0:21a:4aff:fe6d:afbe]:80

• https://webshop.janmager.keurslager.nl/
91.213.195.54	200		6.636	I

• https://webshop.janmager.keurslager.nl/
2a02:2770:3:0:21a:4aff:fe6d:afbe	-2		1.043	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a02:2770:3:0:21a:4aff:fe6d:afbe]:443

• https://webshop.janmager.keurslager.nl:443/	200		9.236	I

• http://webshop.janmager.keurslager.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
91.213.195.54	301	https://webshop.janmager.keurslager.nl:443/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	0.033	A
Visible Content: 301 Moved Permanently nginx

• http://webshop.janmager.keurslager.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a02:2770:3:0:21a:4aff:fe6d:afbe	-2		1.043	V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a02:2770:3:0:21a:4aff:fe6d:afbe]:80
Visible Content:

• https://webshop.janmager.keurslager.nl:443/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de	404		7.826	A
Not Found

Checking port 80 + /.well-known/acme-challenge, ipv4 is ok (http status not found), ipv6 looks like a firewall.

But Letsencrypt prefers ipv6, so this is critical.

Two options:

Remove the ipv6 AAAA in your dns settings (or)
check, if there is a firewall, open that, check, if there is a correct answer.

This message

K	http://webshop.janmager.keurslager.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 91.213.195.54, Status 301

	http://webshop.janmager.keurslager.nl/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 2a02:2770:3:0:21a:4aff:fe6d:afbe, Status -2
	configuration problem - different ip addresses with different status

shouldn't be visible.

So change your configuration and recheck your domain.

yourivdlans · March 12, 2019, 2:11pm

Ah I see! Thanks for the quick reply.

yourivdlans · March 12, 2019, 7:33pm

My HAproxy was not bound to ipv6, fixing that solved the issue. Thanks again!

JuergenAuer · March 12, 2019, 8:09pm

Yep, now you have a new certificate:

	12.03.2019
	10.06.2019
expires in 90 days	webshop.dijkstra.keurslager.nl, 
webshop.eetwinkelstronkhorst.keurslager.nl, webshop.floresteijn.keurslager.nl, 
webshop.janmager.keurslager.nl, webshop.jongenotter.keurslager.nl, 
webshop.looman.keurslager.nl, webshop.mellegers.keurslager.nl, 
webshop.pouwalmere-stad.keurslager.nl, webshop.vanelteren.keurslager.nl - 9 entries

And I’ve found a bug in my tool, so something like

style="background-image: url(&#39;picture.jpg&#39;)"

wasn’t parsed correct.

Is now fixed.

system · April 11, 2019, 8:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.