Nginx configuration(?): connection refused

After having received a message that my website certificate was almost expiring, I noticed that the renewal process was failing. The log for the cron job indicates this has been occuring since March 15th. I vaguely recall updating the nginx config at the time (for SSL labs) but I have no idea exactly what I changed.

I noticed that the challenge files are still being created (and automatically removed). I tested creating a file /.well-known/acme-challenge/test.txt which I can access normally from my browser (Firefox).

Here is /etc/nginx/conf.d/

# use compression
# TODO: handles only text/plain by default
gzip on;

# redirect http to https
server {
  listen        80;
  return        301 https://$server_name$request_uri;

server {
  listen                443 ssl http2;
  server_name ;

  root                  /var/www/;

  server_tokens         off;

  # headers
  charset               utf-8;
  add_header            Strict-Transport-Security "max-age=31536000; includeSubDomains";
  # TODO report-uri
  add_header            Content-Security-Policy "default-src 'none'; style-src 'self'; img-src 'self'; frame-ancestors 'none'";
  add_header            Referrer-Policy "no-referrer";
  add_header            X-Content-Type-Options: "nosniff";
  add_header            X-Clacks-Overhead "GNU Terry Pratchett";

  # custom error pages
  error_page            403 /403.html;
  location = /403.html {
  error_page            404 /404.html;
  location = /404.html {
  error_page            418 /418.html;
  location = /418.html {
  location ~* /(coffee|koffie|teapot|theepot) {
    default_type text/plain;
    return 418;
  error_page            500 502 503 504 /50x.html;
  location = /50x.html {

  # ssl
  ssl_protocols         TLSv1.2;
  ssl_certificate       /etc/letsencrypt/live/;
  ssl_certificate_key   /etc/letsencrypt/live/;
  ssl_prefer_server_ciphers on;
  ssl_dhparam           /etc/ssl/certs/dhparam.pem;

  ssl_stapling          on;
  ssl_stapling_verify   on;
  ssl_session_cache     shared:SSL:50m;
  ssl_session_timeout   60m;

  # clean up error logs
  location = /favicon.ico {
    access_log off;
    log_not_found off;

# redirect the bare domain to the www subdomain
server {
  listen        80;
  listen        443 ssl http2;
  return        301$request_uri;

and I see four of these lines in /var/log/nginx/access.log for every command I run: - - [29/Mar/2019:00:23:30 +0100] "GET /.well-known/acme-challenge/YqaJHRRqTNcbn7EbcRkaxSTvyUYJDDhq2gjpyywv2Sw HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +" "-"

My domain is:

I ran this command: certbot renew --dryrun

It produced this output:

Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/ (failure)

 - The following errors were reported by the server:

   Type:   connection
   Detail: Fetching
   Connection refused

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @sebastianv89

you have ipv4- and ipv6 - addresses ( ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout A yes 2 0
AAAA 2a03:b0c0:0:1010::40:f001 yes C yes 1 0
A yes
AAAA 2a03:b0c0:0:1010::40:f001 yes

But your ipv6 doesn't answer:

Domainname Http-Status redirect Sec. G 301 0.033 E 301 0.034 A
2a03:b0c0:0:1010::40:f001 -2 1.077 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a03:b0c0:0:1010::40:f001]:80
2a03:b0c0:0:1010::40:f001 -2 1.077 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it [2a03:b0c0:0:1010::40:f001]:80

(skipped the other tests).


  • fix your ipv6 configuration (or)
  • remove the ipv6 dns entry, create a new certificate, then fix ipv6.
1 Like

Awesome, that fixed it!

Thanks for the fast response :smiley:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.