Renewal "Connection Refused"

asguard · December 26, 2018, 12:06am

I’ve read in a forum that Comcast may block port 80 even though it is not an officially blocked port (i.e., if they discover that one is running a web site). Is there any way to change the port that letsencrypt uses to authenticate sites? And I think I may need to do some work to get port forwarding working on ipv6.

asguard · December 26, 2018, 12:28am

No, that’s not it. I installed tcpdump on my router and it is seeing attempts to reach port 80. I have a port forward set up but for some reason it is not getting to the server.

rg305 · December 26, 2018, 2:33am

Not really.
Only other (simple) option is DNS authentication.

Do you have a firewall on your server?

asguard · December 26, 2018, 1:48pm

No, nothing but iptables and one rule: 0 0 SNAT all -- * * 10.8.0.0/24 0.0.0.0/0 to:76.100.171.177.

Many thanks for all your help. I used DNS authentication for until I can figure out what is going on with my network. I know it used to work and now it doesn’t. What happened, I can’t figure.

rg305 · December 26, 2018, 6:57pm

Let’s see which ports are in use
Please show:
sudo netstat -pant

asguard · December 27, 2018, 12:35am

Here is what it looks like now:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      255/rpcbind         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      23832/sshd          
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      886/exim4           
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      494/tor             
tcp        0      0 127.0.0.1:9051          0.0.0.0:*               LISTEN      494/tor             
tcp        0      0 127.0.0.1:4200          0.0.0.0:*               LISTEN      398/shellinaboxd    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      487/mysqld          
tcp6       0      0 :::111                  :::*                    LISTEN      255/rpcbind         
tcp6       0      0 :::80                   :::*                    LISTEN      5356/apache2        
tcp6       0      0 :::22                   :::*                    LISTEN      23832/sshd          
tcp6       0      0 ::1:25                  :::*                    LISTEN      886/exim4           
tcp6       0      0 :::443                  :::*                    LISTEN      5356/apache2

rg305 · December 27, 2018, 12:42am

Well it shows that apache2 is listening on 80 and 443 for both IPv4 and IPv6.
However, I am only able to connect to IPv4 on port 80 (all others show “Connection refused”) and it merely returns:

<?xml version="1.0" encoding="UTF-8"?><tree ><require_auth/></tree>

So, I can only assume that the problem is within the Apache configuration (or .htaccess).

Or perhaps you IP has changed.

asguard · December 27, 2018, 1:51am

Ugh. Some of the Openwrt web interface uses javascript and I had thought that I had fixed a configuration problem. But when I told it to reboot, it didn’t really reboot. After ssh’ing into the router and issuing a reboot command, it actually rebooted and now my fix worked and I can get to ipv4 on both ports 80 and 443. I think ipv6 is still broken.

asguard · December 27, 2018, 2:11am

Using tcpdump I can see that the router is definitely seeing ipv6 requests on ports 80 and 443 but they’re just not being passed onto the server.

rg305 · December 27, 2018, 3:57am

You could remove the IPv6 (AAAA) DNS entries.
Issue your cert.
Then work on the IPv6 problem.

asguard · December 27, 2018, 5:42pm

Thank you! I figured out a traffic rule on the router that forwards traffic to the correct IPv6 address so it should all be good now.

system · January 26, 2019, 5:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.