Renewal "Connection Refused"


#1

Up until recently, it has been updating automatically via crontab without any problems. Recently, it stopped working with “Connection refused”. The server is clearly reachable.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

pydio.rainexpected.com

I ran this command:

crontab ran:

/usr/bin/letsencrypt renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/pydio.rainexpected.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for droopy.rainexpected.com
http-01 challenge for pydio.rainexpected.com
http-01 challenge for s.rainexpected.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (pydio.rainexpected.com) from /etc/letsencrypt/renewal/pydio.rainexpected.com.conf produced an unexpected error: Failed authorization procedure. s.rainexpected.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://s.rainexpected.com/.well-known/acme-challenge/Wx7Is1eBk6I9PhmaGTQqItxl5YZqePjysBZEHkOrHh4: Connection refused, droopy.rainexpected.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://droopy.rainexpected.com/.well-known/acme-challenge/fxrHL7K3Of6HUcLqjoCPMVxbjrA0LB7rBK4pFiOtezQ: Connection refused, pydio.rainexpected.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://pydio.rainexpected.com/.well-known/acme-challenge/jw4G9OKMqo0-ro5JE06z704zaNN7Y9ypJB-MiXQhPug: Connection refused. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/pydio.rainexpected.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/pydio.rainexpected.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: pydio.rainexpected.com
    Type: connection
    Detail: Fetching
    http://s.rainexpected.com/.well-known/acme-challenge/Wx7Is1eBk6I9PhmaGTQqItxl5YZqePjysBZEHkOrHh4:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):

Apache 2.4.25-3+deb9u6

The operating system my web server runs on is (include version):

Debian stretch

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No


#2

I also get Connection refused if I try to access http://s.rainexpected.com/ or the other two hostnames.

It doesn’t affect Let’s Encrypt validation, but for https://s.rainexpected.com/, I get “Connection refused” from the IPv6 address but the IPv4 address works.

droopy.rainexpected.com.  1800  A     76.21.154.179
droopy.rainexpected.com.  1800  AAAA  2601:14d:4101:380b:208:9bff:fed0:65af
pydio.rainexpected.com.   1800  A     76.21.154.179
pydio.rainexpected.com.   1800  AAAA  2601:14d:4101:380b:208:9bff:fed0:65af
s.rainexpected.com.       1800  A     76.21.154.179
s.rainexpected.com.       1800  AAAA  2601:14d:4101:380b:208:9bff:fed0:65af

#3

Interesting – is there something I need to do to make Apache listen on ipv6? With the exception of default-ssl.conf, each section of my configuration files begin:

<VirtualHost *:80>

and

<VirtualHost *:443>

default-ssl.conf begins:

<VirtualHost _default_:443>

#4

Look for a “Listen” statement in apache2.conf (or in ports.conf)


#5

My ports.conf file:

# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

Listen 80

<IfModule ssl_module>
        Listen 127.0.0.1:443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 127.0.0.1:443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

#6

Try changing both of the:

To:
Listen ::443


#7

That doesn’t seem to work… Apache will not restart. But I now believe that there is a problem with the port forwarding on my openwrt router. I can ssh into ipv4 but not ipv6. I think I will start by deleting the AAAA records.


#8

Ok try instead:
Listen [::]:443

I guess I need to state the obvious:
You must have an IPv6 to bind to.
Check with:
ifconfig | grep inet6 | grep global | grep 128 | awk '{print $2}'
or
ip -6 addr show | grep inet6 | grep global | grep 128 | awk '{print $2}'


#9

Listen [::]:443 still crashes systemctl restart apache2.

ip -6 addr show | grep inet6 | grep global | grep 128 | awk '{print $2}'

produces no output but if I change the 128 to 64, I get:

fd21:9228:e650:0:208:9bff:fed0:65af/64
2601:14d:4101:380b:208:9bff:fed0:65af/64

#10

Let’s see all of it:

Or try (one of these may work):
Listen 2601:14d:4101:380b:208:9bff:fed0:65af:443
Listen [2601:14d:4101:380b:208:9bff:fed0:65af]:443


#11
$ ip -6 addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fd21:9228:e650:0:208:9bff:fed0:65af/64 scope global mngtmpaddr dynamic 
       valid_lft forever preferred_lft forever
    inet6 2601:14d:4101:380b:208:9bff:fed0:65af/64 scope global mngtmpaddr dynamic 
       valid_lft 322283sec preferred_lft 322283sec
    inet6 fe80::208:9bff:fed0:65af/64 scope link 
       valid_lft forever preferred_lft forever

With Listen 2601:14d:4101:380b:208:9bff:fed0:65af:443 apache restarted without problem.


#12

Then
sudo netstat -pant
should show apache listening on IPv6 now.


#13

Yes, it is showing ipv6 but the renewal is still not working.

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      255/rpcbind         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      23832/sshd          
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      886/exim4           
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      494/tor             
tcp        0      0 127.0.0.1:9051          0.0.0.0:*               LISTEN      494/tor             
tcp        0      0 192.168.2.22:443        0.0.0.0:*               LISTEN      308/sslh            
tcp        0      0 127.0.0.1:4200          0.0.0.0:*               LISTEN      398/shellinaboxd    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      487/mysqld          
tcp        0    304 192.168.2.22:22         162.198.202.88:60388    ESTABLISHED 3060/sshd: tct [pri 
tcp        0      0 192.168.2.22:22         162.198.202.88:33576    ESTABLISHED 4798/sshd: tct [pri 
tcp6       0      0 :::111                  :::*                    LISTEN      255/rpcbind         
tcp6       0      0 :::80                   :::*                    LISTEN      8715/apache2        
tcp6       0      0 :::22                   :::*                    LISTEN      23832/sshd          
tcp6       0      0 ::1:25                  :::*                    LISTEN      886/exim4           
tcp6       0      0 2601:14d:4101:380b::443 :::*                    LISTEN      8715/apache2

#14

Please show:


#15

Ok, here is /etc/letsencrypt/renewal/pydio.rainexpected.com.conf:

# renew_before_expiry = 30 days
version = 0.25.0
archive_dir = /etc/letsencrypt/archive/pydio.rainexpected.com
cert = /etc/letsencrypt/live/pydio.rainexpected.com/cert.pem
privkey = /etc/letsencrypt/live/pydio.rainexpected.com/privkey.pem
chain = /etc/letsencrypt/live/pydio.rainexpected.com/chain.pem
fullchain = /etc/letsencrypt/live/pydio.rainexpected.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
account = 08976b5c8bb58045f7ee12d23933a278

#16

Can’t reach either IP:
2601:14d:4101:380b:208:9bff:fed0:65af
76.21.154.179
by either port (80, 443)
Connection refused
SSL_ERROR_SYSCALL in connection


#17

So it looks like it did not like Listen 2601:14d:4101:380b:208:9bff:fed0:65af:443. I switched it back to Listen 127.0.0.1:443 and I can again reach https://76.21.154.179
address but not through port 80.


#18

You need to Listen on both ports:
Listen 80
Listen 443

And you need to have two vhost configs per “unique host”:

#1a:
<VirtualHost *:80>
#http config
ServerName {#1}
ServerAlias {#1}
</VirtualHost>

#1b:
<VirtualHost *:443>
#https config
ServerName {#1}
ServerAlias {#1}
</VirtualHost>

#2a:
<VirtualHost *:80>
#http config
ServerName {#2}
ServerAlias {#2}
</VirtualHost>

#2b:
<VirtualHost *:443>
#https config
ServerName {#2}
ServerAlias {#2}
</VirtualHost>

#3a
#3b
etc.


#19

Ok, I now have separate .conf files for each vhost and it still isn’t working.

Could the problem be that I have the non-ssl conf file do a Redirect permanent to the ssl site. Should I do the redirect in the .htaccess file instead? For example, if I use w3m to go to http://pydio.rainexpected.com, it follows the redirection to https://pydio.rainexpected.com.


#20

It may work from within that server or that network; But it doesn’t work from the Internet.
No port 80 access.
No port 443 access to IPv6 address.
Only port 443 access to IPv4 address is allowed.