Renewing not working [SOLVED]

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nc.celebrate.de

I ran this command: certbot renew --dry-run

It produced this output: connection refused

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7.6.1810

My hosting provider, if applicable, is: me

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.36.0

The let’s encrypt debug log - sorry can’t upload as a new user - is available here:
https://nc.celebrate.de/log.txt

Thanks for helping.
Frank

2

Hi @digidax

there

is your answer: You need a working port 80. But your port 80 doesn't answer - https://check-your-website.server-daten.de/?q=nc.celebrate.de

Domainname Http-Status redirect Sec. G
http://nc.celebrate.de/
94.100.75.11 -2 1.080 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 94.100.75.11:80
https://nc.celebrate.de/
94.100.75.11 200 3.480 A
http://nc.celebrate.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
94.100.75.11 -2 1.090 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 94.100.75.11:80

Looks like a blocking firewall. Is there a running webserver? Is port 80 open?

3

Yes port 80 is open:

-bash-4.2# netstat -tulpn | grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 30661/httpd

The logfile you have downloaded (https://nc.celebrate.de/log.txt) is on the same machine which has this renew problem:

-bash-4.2# ls -l /var/www/html/
total 36

-rw-r–r-- 1 apache apache 23695 Sep 4 15:07 log.txt

So you could download the logfile, port 80 and 443 are open and the webserver is working.
That’s the stupid thing I can’t figure out what the problem is.

Thanks for helping

4

I can't download the http version. https works, but http is blocked.

It looks like a firewall. Or is it a home server with a wrong port forwarding?

5

You’re right, there is a problem with the firewall (pf sense) but I don’t know what because the configuration is ok. Port 80 is open from inside the DMZ Subnet (checked with telnet open IP:80 and http is working but not from public net) I will check it and come back. Thanks.

6

A post was split to a new topic: Renewing when the control panel certificate has expired

7

Problem found:
There was a bug in PfSense, the GUI shows a correct NAT setup but in the kernel filter only the dest nat rule was set, the correspondentin forwarding rule to port 80 was missing. After update pfsense to the last stable and re setup the rule, the dry-run was successful.

thanks jürgen for your hint and best regards,
Frank

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.