Renewing certificate "Connection refused" using: NGINX, Django

Hi!

I am trying to to renew the certificate of www.maet.bg.
I have turned the server off.
I have cd to the path of the webroot folder and there I am executing:

sudo certbot certonly --manual -d maet.bg

I am getting a response:

Failed authorization procedure. maet.bg (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://maet.bg/.well-known/acme-challenge/oYmdzgnvfh4XwSWdGq3-S3UVNZCssdjwoqSjD4oQ8wk: Connection refused

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: maet.bg
    Type: connection
    Detail: Fetching
    http://maet.bg/.well-known/acme-challenge/oYmdzgnvfh4XwSWdGq3-S3UVNZCssdjwoqSjD4oQ8wk:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    maet_admin@maet:/var/www/html$

Do I have to turn https connections off when I try to renew to certificate?

I my nginx setup the location of ./well-known is accessible by all:

location ~ /.well-known {
allow all;
}

When I try to reach the url, it is going trough django and it is missing such a path so I get 404.

wget http://maet.bg/
–2017-10-26 10:18:24-- http://maet.bg/
Resolving maet.bg (maet.bg)… 207.154.248.226
Connecting to maet.bg (maet.bg)|207.154.248.226|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://www.maet.bg/ [following]
–2017-10-26 10:18:28-- https://www.maet.bg/
Resolving www.maet.bg (www.maet.bg)… 207.154.248.226
Connecting to www.maet.bg (www.maet.bg)|207.154.248.226|:443… connected.
ERROR: cannot verify www.maet.bg’s certificate, issued by ‘CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US’:
Issued certificate has expired.
To connect to www.maet.bg insecurely, use `–no-check-certificate’.

+++++++++++++++++++++++++++++++++++++++++++++++++++++

wget http://maet.bg/.well-known/acme-challenge/oYmdzgnvfh4XwSWdGq3-S3UVNZCssdjwoqSjD4oQ8wk --no-check-certificate
–2017-10-26 10:22:00-- http://maet.bg/.well-known/acme-challenge/oYmdzgnvfh4XwSWdGq3-S3UVNZCssdjwoqSjD4oQ8wk
Resolving maet.bg (maet.bg)… 207.154.248.226
Connecting to maet.bg (maet.bg)|207.154.248.226|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://www.maet.bg/.well-known/acme-challenge/oYmdzgnvfh4XwSWdGq3-S3UVNZCssdjwoqSjD4oQ8wk [following]
–2017-10-26 10:22:00-- https://www.maet.bg/.well-known/acme-challenge/oYmdzgnvfh4XwSWdGq3-S3UVNZCssdjwoqSjD4oQ8wk
Resolving www.maet.bg (www.maet.bg)… 207.154.248.226
Connecting to www.maet.bg (www.maet.bg)|207.154.248.226|:443… connected.
WARNING: cannot verify www.maet.bg’s certificate, issued by ‘CN=Let’s Encrypt Authority X3,O=Let’s Encrypt,C=US’:
Issued certificate has expired.
HTTP request sent, awaiting response… 404 Not Found

Try placing a test.txt file with minimal content in the .well-known/acme-challenge folder
Then be sure that: http://maet.bg/.well-known/acme-challenge/test.txt is accessible from Internet.

I did put a test.html file and I am getting 404.

There is the problem.
Check the logs and check the vhost config.
Where do the requests go?
Why don’t they reach the test.html file?

If you can’t find the problem, show the vhost config.

These are the nginx settings that I have. This worked three months ago.

upstream maet_app_server {

server unix:/webapps/maet/run/gunicorn.sock fail_timeout=0;
}

server {
listen 80;
server_name maet.bg www.maet.bg;
return 301 https://www.maet.bg$request_uri;

location ^~ /.well-known/acme-challenge/ {
              allow all;
              root /var/www/html;
              try_files $uri =404;
      }

}

server {
listen 443 default ssl;
ssl_certificate /etc/letsencrypt/live/maet.bg/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/maet.bg/privkey.pem;
client_max_body_size 4G;

access_log /webapps/maet/logs/nginx-access.log;
error_log /webapps/maet/logs/nginx-error.log;

location /static/ {
    alias   /webapps/maet/website/static/;
}

location /media/ {
    alias   /webapps/maet/website/static/;
}

location ~ /.well-known {
              allow all;
              root /var/www/html;
              try_files $uri =404;
      }

location / {
    # an HTTP header important enough to have its own Wikipedia entry:
    #   http://en.wikipedia.org/wiki/X-Forwarded-For
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    # enable this if and only if you use HTTPS, this helps Rack
    # set the proper protocol for doing redirects:
    # proxy_set_header X-Forwarded-Proto https;

    # pass the Host: header from the client right along so redirects
    # can be set properly within the Rack application
    proxy_set_header Host $http_host;

    # we don't want nginx trying to do something clever with
    # redirects, we set the Host: header above already.
    proxy_redirect off;

    # set "proxy_buffering off" *only* for Rainbows! when doing
    # Comet/long-poll stuff.  It's also safe to set if you're
    # using only serving fast clients with Unicorn + nginx.
    # Otherwise you _want_ nginx to buffer responses to slow
    # clients, really.
    # proxy_buffering off;

    # Try to serve static files from nginx, no point in making an
    # *application* server like Unicorn/Rainbows! serve static files.
    if (!-f $request_filename) {
        proxy_pass http://maet_app_server;
        break;
    }
}

# Error pages
error_page 500 502 503 504 /500.html;
location = /500.html {
    root /webapps/maet/website/static/;
}

}

Where is the test.html file located?

Your settings are mixed.
One would have it at:
/var/www/html/acme-challenge/test.html
and another at:
/var/www/html/test.html

They don’t match each other.

Where is the test.html file located?

The webroot folder is the /var/www/html. I’ve created ./well-known/acme-challenge/test.html
Also I’ve created a /webapps/maet/.well-known/acme-challenge/test.html which is where django is serving the webpage.

This is how the certificate was added to the server:

sudo certbot certonly --webroot --webroot-path=/var/www/html/ -d maet.bg -d www.maet.bg

And then you added:

But those additions have not had the desired effect - that you looked for.

  1. If the .well-known & .well-known/acme-challenge are just pointing to the same root path - why add the lines?
  2. location /.well-known/acme-challenge/
    root /var/www/html;
    Modifies the URL: http://your.dom/.well-known/acme-challenge/test.html
    To: /var/www/html/test.html
    And
    location /.well-known
    root /var/www/html
    Modifies the URL: http://your.dom/.well-known/acme-challenge/test.html
    To: /var/www/html/acme-challenge/test.html
    Neither of which find the file you placed at:
    /var/www/html/.well-known/acme-challenge/test.html

So, if you need the location/redirection, try them this way:

location ^~ /.well-known/acme-challenge/ {
allow all;
root /var/www/html/.well-known/acme-challenge/;
try_files $uri =404;
}

location ~ /.well-known {
allow all;
root /var/www/html/.well-known;
try_files $uri =404;
}

Hi rg305 After trying to open the file for about two hours, I have managed to access it under the root of my Django project /webapps/maet/website/.well-known/
I was misusing root vs alias

However, now when I execute sudo certbot renew --dry-run

I am getting:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/maet.bg.conf
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for maet.bg
http-01 challenge for www.maet.bg
Waiting for verification…
Cleaning up challenges

Unable to clean up challenge directory /var/www/html/.well-known/acme-challenge

new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/maet.bg/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/maet.bg/fullchain.pem (success)

I am guessing I might have a DNS problem since I can reach the test file with
curl -IkL4 http://www.maet.bg/.well-known/acme-challenge/test
returns HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Mon, 30 Oct 2017 09:40:43 GMT
Content-Type: application/octet-stream
Content-Length: 0
Last-Modified: Mon, 30 Oct 2017 08:35:02 GMT
Connection: keep-alive
ETag: "59f6e436-0"
Accept-Ranges: bytes

But,
curl -IkL6 http://www.maet.bg/.well-known/acme-challenge/test
returns
curl: (6) Could not resolve host: www.maet.bg

I have ipv6 enabled and working on my server adn don’t have any AAAA records.

The return is correct - there is no IPv6 address found in global DNS for www.maet.bg
And it is confirmed by your assertion.
However, that same can not be said about maet.bg:
Name: maet.bg
Addresses: 2a03:b0c0:3:d0::24:8001
207.154.248.226

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.