Nginx configuration(?): connection refused

After having received a message that my website certificate was almost expiring, I noticed that the renewal process was failing. The log for the cron job indicates this has been occuring since March 15th. I vaguely recall updating the nginx config at the time (for SSL labs) but I have no idea exactly what I changed.

I noticed that the challenge files are still being created (and automatically removed). I tested creating a file /.well-known/acme-challenge/test.txt which I can access normally from my browser (Firefox).

Here is /etc/nginx/conf.d/zeroknowledge.me.conf

# use compression
# TODO: handles only text/plain by default
gzip on;

# redirect http to https
server {
  listen        80;
  server_name   www.zeroknowledge.me;
  return        301 https://$server_name$request_uri;
}

server {
  listen                443 ssl http2;
  server_name           www.zeroknowledge.me;

  root                  /var/www/www.zeroknowledge.me/public;

  server_tokens         off;

  # headers
  charset               utf-8;
  add_header            Strict-Transport-Security "max-age=31536000; includeSubDomains";
  # TODO report-uri
  add_header            Content-Security-Policy "default-src 'none'; style-src 'self'; img-src 'self'; frame-ancestors 'none'";
  add_header            Referrer-Policy "no-referrer";
  add_header            X-Content-Type-Options: "nosniff";
  add_header            X-Clacks-Overhead "GNU Terry Pratchett";

  # custom error pages
  error_page            403 /403.html;
  location = /403.html {
    internal;
  }
  error_page            404 /404.html;
  location = /404.html {
    internal;
  }
  error_page            418 /418.html;
  location = /418.html {
    internal;
  }
  location ~* /(coffee|koffie|teapot|theepot) {
    default_type text/plain;
    return 418;
  }
  error_page            500 502 503 504 /50x.html;
  location = /50x.html {
    internal;
  }

  # ssl
  ssl_protocols         TLSv1.2;
  ssl_certificate       /etc/letsencrypt/live/www.zeroknowledge.me/fullchain.pem;
  ssl_certificate_key   /etc/letsencrypt/live/www.zeroknowledge.me/privkey.pem;
  ssl_prefer_server_ciphers on;
  ssl_dhparam           /etc/ssl/certs/dhparam.pem;
  ssl_ciphers           'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

  ssl_stapling          on;
  ssl_stapling_verify   on;
  ssl_session_cache     shared:SSL:50m;
  ssl_session_timeout   60m;

  # clean up error logs
  location = /favicon.ico {
    access_log off;
    log_not_found off;
  }
}

# redirect the bare domain to the www subdomain
server {
  listen        80;
  listen        443 ssl http2;
  server_name   zeroknowledge.me;
  return        301 https://www.zeroknowledge.me$request_uri;
}

and I see four of these lines in /var/log/nginx/access.log for every command I run:

34.213.106.112 - - [29/Mar/2019:00:23:30 +0100] "GET /.well-known/acme-challenge/YqaJHRRqTNcbn7EbcRkaxSTvyUYJDDhq2gjpyywv2Sw HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

My domain is: https://www.zeroknowledge.me/

I ran this command: certbot renew --dryrun

It produced this output:

Attempting to renew cert (www.zeroknowledge.me) from /etc/letsencrypt/renewal/www.zeroknowledge.me.conf produced an unexpected error: Failed authorization procedure. www.zeroknowledge.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://www.zeroknowledge.me/.well-known/acme-challenge/YqaJHRRqTNcbn7EbcRkaxSTvyUYJDDhq2gjpyywv2Sw: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.zeroknowledge.me/fullchain.pem (failure)

...
 - The following errors were reported by the server:

   Domain: www.zeroknowledge.me
   Type:   connection
   Detail: Fetching
   https://www.zeroknowledge.me/.well-known/acme-challenge/YqaJHRRqTNcbn7EbcRkaxSTvyUYJDDhq2gjpyywv2Sw:
   Connection refused

My web server is (include version): nginx/1.12.2

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @sebastianv89

you have ipv4- and ipv6 - addresses ( https://check-your-website.server-daten.de/?q=zeroknowledge.me ):

But your ipv6 doesn't answer:

(skipped the other tests).

So

• fix your ipv6 configuration (or)
• remove the ipv6 dns entry, create a new certificate, then fix ipv6.

Awesome, that fixed it!

Thanks for the fast response

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.