Renewal failed with "connection refused" again

Hi, I am having problem with renewal of certificates again as in here but this time I have no warning on SSL session cache on apache log. Let's debug shows that my website is working fine on both http-01 and dns-01. Any idea on how to fix this? Thank you very much in advance.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cloud.editionsbrandon.com

I ran this command:certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing
/etc/letsencrypt/renewal/caroline-brandon.brandon-et-compagnie.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/cloud.editionsbrandon.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for cloud.editionsbrandon.com
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: cloud.editionsbrandon.com
  Type:   connection
  Detail: 82.64.132.53: Fetching http://cloud.editionsbrandon.com/.well-known/acme-challenge/01G01bGKoexHoBNR0P724Jx-4qm2DqN7dCMHJprHPIQ: Connection refused

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate cloud.editionsbrandon.com with error: Some challenges have failed.

(I skip output on other domains that aren't yet due)

All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/cloud.editionsbrandon.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):apache-2.4.57-1

The operating system my web server runs on is (include version):
Archlinux, up to date
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):2.6.0

Your site connects OK for me but for some reason its refusing the Let's Encrypt validation bot. Are you filtering connections on geographic regions or IP ranges, perhaps with a malware/IP filter?

It looks like you have an aggressive firewall blocking requests. I first got a couple 403 Forbidden errors even for your "home" page. But, after a couple more requests I know get a "Connection Refused". None of these are the right response.

The 403 error came from an Apache/2.4.57 server so I'm guessing this firewall is something running on your server. But, it could be on a device in front of your server.

(HEAD request)
curl -I http://cloud.editionsbrandon.com/
HTTP/1.1 403 Forbidden
Date: Thu, 17 Aug 2023 13:31:22 GMT
Server: Apache/2.4.57 (Unix) OpenSSL/3.1.2 mpm-itk/2.4.7-04 PHP/7.4.33 mod_fcgid/2.3.9

(GET request HTTP Challenge format)
curl -i http://cloud.editionsbrandon.com/.well-known/acme-challenge/Test123
HTTP/1.1 403 Forbidden
Date: Thu, 17 Aug 2023 13:31:43 GMT
Server: Apache/2.4.57 (Unix) OpenSSL/3.1.2 mpm-itk/2.4.7-04 PHP/7.4.33 mod_fcgid/2.3.9
(partial response data:)
<title>403 Forbidden</title>
...
<p>You don't have permission to access this resource.</p>
<p>Additionally, a 403 Forbidden error was encountered while trying 
to use an ErrorDocument to handle the request.</p>
</body></html>

(GET request HTTP Challenge with Let's Encrypt user-agent)
curl -i http://cloud.editionsbrandon.com/.well-known/acme-challenge/Test123 -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (7) Failed to connect to cloud.editionsbrandon.com port 80 after 92 ms: Connection refused

(Now even HOME page requests refused)
curl -i http://cloud.editionsbrandon.com
curl: (7) Failed to connect to cloud.editionsbrandon.com port 80 after 92 ms: Connection refused

Oh, thank you very much, I forgot about this, for some reasons all access request via http, and not https, results in 403 error

[Thu Aug 17 17:54:43.173593 2023] [access_compat:error] [pid 27625] [client 192.168.1.1:36512] AH01797: client denied by server configuration: /usr/share/httpd/error/HTTP_FORBIDDEN.html.var

As our server redirected all http requests to https requests by rewrite rule, this never caused us a problem (until now) so I never bothered to "fix" this issue...

I will figure how to fix this issue and see if I will be able te renew the certificate afterwords, thank you again for now.

This 403 error should not occur:

curl http://cloud.editionsbrandon.com/.well-known/acme-challenge/Test_File-1234
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<p>Additionally, a 403 Forbidden
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

And your IP banning system is too aggressive, I now get:

curl http://cloud.editionsbrandon.com/.well-known/acme-challenge/Test_File-1234
curl: (56) Recv failure: Connection reset by peer

Thank you very much everyone for help.

It turned out that the configuration file for the vhost cloud.editionsbrandon.com for the http connexion was not loaded, which I didn't care because everyone connects via https...

However, after fixing this issue, renewal kept failing. The thing was that "from time to time" when apache gets restarted, it exits with the error like

[Fri Aug 18 22:41:34.619887 2023] [core:warn] [pid 59580] AH00098: pid file /run/httpd/httpd.pid overwritten -- Unclean shutdown of previous Apache run?

And somehow, when certbot script restarts the server first time, apache doesn 't start, whereas the second time, apache restarts, so that I didn't see the problem.

I "solved" the issue by stoping various version of php-fpm services (I read that one of the extension is the culprit, I haven't had time to figure out which one), renewed certificate, and started php-fpm services again.

Have you tried using "--webroot"?

Oh, thank you very much, I should have considered it... Since my apache server doesn't restart after a shutdown by the script (since several weeks ago, it stops every Saturday/Sunday midnight for logrotate and I have to start it up manually), which was causing the problem, that would have done the trick. I will consider it next time if the problem comes up again.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.