Nginx configuration(?): connection refused

After having received a message that my website certificate was almost expiring, I noticed that the renewal process was failing. The log for the cron job indicates this has been occuring since March 15th. I vaguely recall updating the nginx config at the time (for SSL labs) but I have no idea exactly what I changed.

I noticed that the challenge files are still being created (and automatically removed). I tested creating a file /.well-known/acme-challenge/test.txt which I can access normally from my browser (Firefox).

Here is /etc/nginx/conf.d/zeroknowledge.me.conf

# use compression
# TODO: handles only text/plain by default
gzip on;

# redirect http to https
server {
  listen        80;
  server_name   www.zeroknowledge.me;
  return        301 https://$server_name$request_uri;
}

server {
  listen                443 ssl http2;
  server_name           www.zeroknowledge.me;

  root                  /var/www/www.zeroknowledge.me/public;

  server_tokens         off;

  # headers
  charset               utf-8;
  add_header            Strict-Transport-Security "max-age=31536000; includeSubDomains";
  # TODO report-uri
  add_header            Content-Security-Policy "default-src 'none'; style-src 'self'; img-src 'self'; frame-ancestors 'none'";
  add_header            Referrer-Policy "no-referrer";
  add_header            X-Content-Type-Options: "nosniff";
  add_header            X-Clacks-Overhead "GNU Terry Pratchett";

  # custom error pages
  error_page            403 /403.html;
  location = /403.html {
    internal;
  }
  error_page            404 /404.html;
  location = /404.html {
    internal;
  }
  error_page            418 /418.html;
  location = /418.html {
    internal;
  }
  location ~* /(coffee|koffie|teapot|theepot) {
    default_type text/plain;
    return 418;
  }
  error_page            500 502 503 504 /50x.html;
  location = /50x.html {
    internal;
  }

  # ssl
  ssl_protocols         TLSv1.2;
  ssl_certificate       /etc/letsencrypt/live/www.zeroknowledge.me/fullchain.pem;
  ssl_certificate_key   /etc/letsencrypt/live/www.zeroknowledge.me/privkey.pem;
  ssl_prefer_server_ciphers on;
  ssl_dhparam           /etc/ssl/certs/dhparam.pem;
  ssl_ciphers           'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

  ssl_stapling          on;
  ssl_stapling_verify   on;
  ssl_session_cache     shared:SSL:50m;
  ssl_session_timeout   60m;

  # clean up error logs
  location = /favicon.ico {
    access_log off;
    log_not_found off;
  }
}

# redirect the bare domain to the www subdomain
server {
  listen        80;
  listen        443 ssl http2;
  server_name   zeroknowledge.me;
  return        301 https://www.zeroknowledge.me$request_uri;
}

and I see four of these lines in /var/log/nginx/access.log for every command I run:

34.213.106.112 - - [29/Mar/2019:00:23:30 +0100] "GET /.well-known/acme-challenge/YqaJHRRqTNcbn7EbcRkaxSTvyUYJDDhq2gjpyywv2Sw HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

My domain is: https://www.zeroknowledge.me/

I ran this command: certbot renew --dryrun

It produced this output:

Attempting to renew cert (www.zeroknowledge.me) from /etc/letsencrypt/renewal/www.zeroknowledge.me.conf produced an unexpected error: Failed authorization procedure. www.zeroknowledge.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.zeroknowledge.me/.well-known/acme-challenge/YqaJHRRqTNcbn7EbcRkaxSTvyUYJDDhq2gjpyywv2Sw: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.zeroknowledge.me/fullchain.pem (failure)

...
 - The following errors were reported by the server:

   Domain: www.zeroknowledge.me
   Type:   connection
   Detail: Fetching
   https://www.zeroknowledge.me/.well-known/acme-challenge/YqaJHRRqTNcbn7EbcRkaxSTvyUYJDDhq2gjpyywv2Sw:
   Connection refused

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @sebastianv89

you have ipv4- and ipv6 - addresses ( https://check-your-website.server-daten.de/?q=zeroknowledge.me ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
zeroknowledge.me A 188.226.145.168 yes 2 0
AAAA 2a03:b0c0:0:1010::40:f001 yes
www.zeroknowledge.me C zeroknowledge.me yes 1 0
A 188.226.145.168 yes
AAAA 2a03:b0c0:0:1010::40:f001 yes

But your ipv6 doesn’t answer:

Domainname Http-Status redirect Sec. G
http://zeroknowledge.me/
188.226.145.168 301 https://www.zeroknowledge.me/ 0.033 E
http://www.zeroknowledge.me/
188.226.145.168 301 https://www.zeroknowledge.me/ 0.034 A
http://zeroknowledge.me/
2a03:b0c0:0:1010::40:f001 -2 1.077 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a03:b0c0:0:1010::40:f001]:80
http://www.zeroknowledge.me/
2a03:b0c0:0:1010::40:f001 -2 1.077 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a03:b0c0:0:1010::40:f001]:80

(skipped the other tests).

So

  • fix your ipv6 configuration (or)
  • remove the ipv6 dns entry, create a new certificate, then fix ipv6.
1 Like

Awesome, that fixed it!

Thanks for the fast response :smiley:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.