Issue of new certificates failure (connection refused)


#1

Hi, I can’t figure out what is wrong in my certification process. I already had certifications for my two first domain (even posted about renewal issues : Impossible to renew certifications) and had to reinstall my server. Now it ends on a connexion refused. I set up IPv6, uninstall fail2ban to see if it was blocking the connexion, and nothing work ! my only access to my websites is with the direct ip

My domain is: alisapolischuk.com, raphaelfiquet.pro & iris-paris.fr

I ran this command: certbot --authenticator webroot --installer apache

My web server is (include version): Apache 2.4.25

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is: OVH (Vps SSD)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Result :
Failed authorization procedure. raphaelfiquet.pro (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://raphaelfiquet.pro/.well-known/acme-challenge/rLc_59xNtm_f54ddRZdrMJZq8415vpZ2KTbqEdI6iVI: Connection refused, www.raphaelfiquet.pro (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.raphaelfiquet.pro/.well-known/acme-challenge/EJvTnN5QyWpm8RmrIQ_j_LzG8Dt6FoHWxP29GtWy-Uo: Connection refused, www.alisapolischuk.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.alisapolischuk.com/.well-known/acme-challenge/Mre0_tpWex6JDc0weTyJQvu3ryUm5tP5WMTWr8tvbn0: Connection refused, iris-paris.fr (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://iris-paris.fr/.well-known/acme-challenge/Oc8wPukJPJ1ii6lWAe9EDHS8CHeqh2-0dGJnQkVwykE: Connection refused, alisapolischuk.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://alisapolischuk.com/.well-known/acme-challenge/0NY6NKZL2bS2leM5HakrpcS03_PNE--LEeSrXgBPXcY: Connection refused, www.iris-paris.fr (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.iris-paris.fr/.well-known/acme-challenge/6NJuzMZ6W3yevgaO_N4mLn-VllnXcRN2FlcX2V-4wng: Connection refused

IMPORTANT NOTES:


#2

Hi,

Do you happens to have any software that blocks port 443?

Thank you


#3

Not that I know of, that’s where I’m a bit lost. I first though fail2ban was guilty, but after a, apt-get purge, it should be that


#4

Hi,

Can you take a look at your account firewall? (Located in your OVH dashboard?)

https://docs.ovh.com/gb/en/dedicated/firewall-network/


#5

It is not activated. should it be?


#6

@raphyney, it looks like your site listens for HTTP on port 80 and returns a redirect to HTTPS on port 443, which isn’t listening at all. Does this match your expectation or did you expect your site to be set up in a different way?

(This configuration won’t work with --webroot.)


#7

It does yes, except if it isn’t a “clean” way to do it

what would it work with then?


#8

The simplest thing is not to set up the redirect until after the HTTPS listener in working.

(An alternative is to try --authenticator apache instead of --authenticator webroot if you have a recent enough version of Certbot.)


#9

ok, indeed it worked well, and the certificates are done!

But now, only one of the websites runs, and the two others return an error : “ERR_TOO_MANY_REDIRECTS”

Any clue on what’s the problem here?


#10

Oh, and the only one working (raphaelfiquet.pro), its certificate name say alisapolischuk.com


#11

Hi @raphyney

This is not a problem. A certificate has one CN-Name. Yours:

CN = alisapolischuk.com

But a certificate can have a lot of alternative names:

DNS-Name: alisapolischuk.com
DNS-Name: iris-paris.fr
DNS-Name: raphaelfiquet.pro
DNS-Name: www.alisapolischuk.com
DNS-Name: www.iris-paris.fr
DNS-Name: www.raphaelfiquet.pro

So you can use the same certifcate with every domain listet there.


#12

Your redirect list:

http://www.iris-paris.fr/ -> https://www.iris-paris.fr/

https://www.iris-paris.fr/ -> https://iris-paris.fr/

This is ok.

But

https://iris-paris.fr/ -> https://iris-paris.fr/

is endless :wink:


#13

hum, indeed, it doesn’t seems very logic ^^

where this redirection could come from? I checked at my site-available conf, and the only difference between the working domain and the two others were a “Redirect permanent / https://domain.com”.

I deleted this row, and restart, but it didn’t changed anything


#14

There are redirects and rewrite rules. Both are able to produce such a situation. Or you use a content management system with additional options.


#15

PS: And the critical rule is wrong:

D:\download https://iris-paris.fr/index.html -h
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Length: 239
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 27 Jun 2018 10:25:11 GMT
Location: https://iris-paris.frindex.html
Server: Apache

Status: 301 MovedPermanently

There is no / after the domain name. So https://iris-paris.fr/index.html is redirected to the non-existent location

https://iris-paris.frindex.html


#16

Allright, I found the redirection rules, and they are fixed ! all 3 domains works.

I’m just a bit confuse about the critical rule thing you just said. Is taht a redirection that leads to this (with the missing “/” ?


#17

Now it works.

https://iris-paris.fr/ sends a http status 200

https://iris-paris.fr/index.html doesn’t send a wrong redirect, instead a 404.


#18

:handshake: it’s all fix then ! thanks a lot for your help !!


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.