Let's encrypt and port 80 issue

My domain is: cloudimagewall.xyz

I ran this command: N/A

My web server is (include version): Ubuntu 16.04

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm following this tutorial using Docker Nginx Letsencrypt:

But i got the error when Requesting a certificate:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: cloudimagewall.xyz
  Type:   connection
  Detail: Fetching http://cloudimagewall.xyz/.well-known/acme-challenge/-XVii9vyU_jR9xOgxhcate_e176tHZcYKCfIZqG2tXg: Connection refused

I test letsdebug.net website and i see this error:

cloudimagewall.xyz has an A (IPv4) record ( but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://cloudimagewall.xyz/.well-known/acme-challenge/letsdebug-test": dial tcp connect: connection refused

@0ms: Making a request to http://cloudimagewall.xyz/.well-known/acme-challenge/letsdebug-test (using initial IP
@0ms: Dialing
@226ms: Experienced error: dial tcp connect: connection refused

This is my ubuntu server firewall status

This is my nginx config:

server {
    listen 80;
    server_name cloudimagewall.xyz www.cloudimagewall.xyz;

    location / {
        return 301 https://$host$request_uri;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;

server {
    listen 443 ssl;
    server_name cloudimagewall.xyz;

    # SSL configuration
    ssl_certificate /etc/letsencrypt/live/cloudimagewall.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cloudimagewall.xyz/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    location / {
        client_max_body_size 30M;

        proxy_set_header    Host               $http_host;
        proxy_set_header    X-Real-IP          $remote_addr;
        proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;

        proxy_pass http://node-app:3000;
        # proxy_redirect off;

        # enable WebSockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

I'm stucking in this for hours but cannot solve it, hope someone can help me.

You're missing the www in the secure vhost.

All four connections are being refused:

  • http://cloudimagewall.xyz
  • http://www.cloudimagewall.xyz
  • https://cloudimagewall.xyz
  • https://www.cloudimagewall.xyz

Are you sure you are at the right IP address?
From the server, please show the output of:
curl -4 ifconfig.co

the output is:

Well that does match DNS:

Name:    cloudimagewall.xyz
Aliases: www.cloudimagewall.xyz

Is there a NAT/PAT device involved?

Sorry I dont understand what NAT/PAT mean so maybe my answer is no

Is there a router involved?
If so, does it do any address, or port, translation?

Ok, where you ever able to reach the HTTP site?

You will need a functional HTTP site in order to secure it (via HTTP authentication method).

Uhm right now all I know is all my docker container running but my nginx container is down
My nginx container keep showing this error:

open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/default.conf:23

nginx: [emerg] open() "/etc/letsencrypt/options-ssl-nginx.conf" failed (2: No such file or directory) in /etc/nginx/conf.d/default.conf:23

Ok, where you ever able to reach the HTTP site? yes

When i dont using letsencrypt and it working fine

I would start by editing out that part in this file:

[just to get nginx going again]

In my nginx logs it showing this:

cannot load certificate "/etc/letsencrypt/live/cloudimagewall.xyz/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/cloudimagewall.xyz/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

because when i request certificate certbox failed to authenticate:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: cloudimagewall.xyz
  Type:   connection
  Detail: Fetching http://cloudimagewall.xyz/.well-known/acme-challenge/C0C2rqlciikQL7--qKVtYLnv4HqH6A2dK117bthJhq4: Connection refused

Can you disable that whole server section of the file?

Oh i just retry to request certificate when all my server container is running and it success

But my url is unsecured for some reason

It isn't serving the correct certificate.

the url auto add a dash to https and said it unsecure

Now my nginx logs showing this new error:

[error] 15#15: *22 open() "/var/www/certbot/.well-known/acme-challenge/spaJ_9L6kICDfGdO3xJSkluqglyXMwhsySeYAI4ERSw" failed (2: No such file or directory), client:, server: cloudimagewall.xyz, request: "GET /.well-known/acme-challenge/spaJ_9L6kICDfGdO3xJSkluqglyXMwhsySeYAI4ERSw HTTP/1.1", host: "cloudimagewall.xyz"

Actually it is using a staging certificate.
Not a real production certificate:
See: SSL Server Test: cloudimagewall.xyz (Powered by Qualys SSL Labs)

Ah you're right I almost forgot the setting to real certificate

1 Like

And thank you for using the staging environment while testing :slight_smile:

1 Like