I deleted my Digital Ocean droplet and started with a fresh new droplet. I have been trying to obtain my security certificate but I get a connection refused. I have made sure that ufw is open on 443 following digital ocean’s instructions.
I have checked the letsencrypt log and I noticed that IP address used is my old IP address not the new one.
My site is already live (http://toddmatthews.me) and working with the new IP address associated with my domain name:
45.55.255.59
I’m assuming this IP mismatch is why the connection is being refused? How do I get Let’s Encrypt to use the new IP address?
Thank you for any help that can be provided to help me get my site back to https !
-Todd
It’s so crazy it displays that way on namecheap and I posted a screen shot above.
I deleted the line and retyped it in so I could save to see if it updates properly this time. I’ll give it 30 mins and see if it updated or not.
I just tried it again and it is pointing to the correct ip address but I’m still getting errors. The main error message displays:
Performing the following challenges:
tls-sni-01 challenge for toddmatthews.me
tls-sni-01 challenge for www.toddmatthews.me
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.toddmatthews.me (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection reset by peer, toddmatthews.me (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: www.toddmatthews.me
Type: connection
Detail: Connection reset by peer
Domain: toddmatthews.me
Type: connection
Detail: Error getting validation data
It does rather look like a firewall issue (not because of X-Frame-Options: DENY, that’s just a clickjacking defence, but because of Connection reset by peer, and because I can’t connect to your port 443 - the server seems to close the connection). Are you sure there isn’t some other external firewall in place, besides ufw on the server itself?
What software are you using to request the certificate? What command are you running?
The command I’m running is sudo certbot --nginx --staging I’m adding the staging argument because I already learned the hard way about making 5 failed attempts:slight_smile:
In my several attempts I’ve also tried this command: sudo certbot --nginx -d toddmatthews.me -d www.toddmatthews.me
I installed the software with sudo apt-get install python-certbot-nginx and added that with sudo add-apt-repository ppa:certbot/certbot
I also previously tried removing fail2ban. I have reinstalled it but haven’t touched the config.
I also checked Digital Ocean’s firewall settings through their UI and I don’t have any setup as shown here:
Okay, well that suggests one possible approach - can you get nginx to respond on port 443, even with a dummy / self signed cert? (Normally it shouldn’t be necessary to do so, as certbot should configure it automatically, but it could help eliminate any firewall issues).
Another possible thing to check is whether fail2ban left behind any residual configuration when you uninstalled it. I don’t know how it works but I’ve made that mistake with denyhosts (which is similar) in the past - it left some banned IPs in my /etc/hosts.deny that I had to clean up manually.
I finally got things going. There’s a step that somehow I didn’t have to do last time I obtained a cert but this time it made a difference. Using this Digital Ocean support doc I had not setup the WebRoot plugin which did the trick this time.
