[solved] Changed Digital Ocean Droplet/IP address and Now Can't Obtain Certificate

I deleted my Digital Ocean droplet and started with a fresh new droplet. I have been trying to obtain my security certificate but I get a connection refused. I have made sure that ufw is open on 443 following digital ocean’s instructions.

I have checked the letsencrypt log and I noticed that IP address used is my old IP address not the new one.

My site is already live (http://toddmatthews.me) and working with the new IP address associated with my domain name:

I’m assuming this IP mismatch is why the connection is being refused? How do I get Let’s Encrypt to use the new IP address?

Thank you for any help that can be provided to help me get my site back to https !

but http://www.toddmatthews.me is not! The www subdomain is still pointed at your old IP address, you need to update that.

Are you sure you have changed your DNS A record also for www.toddmatthews.me? Because while toddmatthews.me resolves to, www.toddmatthews.me is still pointing to

Oh man I wonder why that is because I used these DNS records:

Thank you for the quick help!

It’s so crazy it displays that way on namecheap and I posted a screen shot above.
I deleted the line and retyped it in so I could save to see if it updates properly this time. I’ll give it 30 mins and see if it updated or not.

Long shot but maybe you need to click the “SAVE ALL CHANGES” button?

Thank you, will make sure to click both this time. I guess my request slipped through the cracks earlier this afternoon?

Still not updating…oh well, I filed a ticket with namecheap to see what’s up.

Global DNS synchronization takes some time.
That said,
toddmatthews.me nameserver = dns2.registrar-servers.com
toddmatthews.me nameserver = dns1.registrar-servers.com
Server: dns1.registrar-servers.com shows:
Name: www.toddmatthews.me Address:
Server: dns2.registrar-servers.com shows:
Name: www.toddmatthews.me Address:

So this DNS out-of-sync problem should be back in-sync now.
I would try it again (maybe with --dry-run = just in case)


I just tried it again and it is pointing to the correct ip address but I’m still getting errors. The main error message displays:

Performing the following challenges:
tls-sni-01 challenge for toddmatthews.me
tls-sni-01 challenge for www.toddmatthews.me
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.toddmatthews.me (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection reset by peer, toddmatthews.me (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data

 - The following errors were reported by the server:

   Domain: www.toddmatthews.me
   Type:   connection
   Detail: Connection reset by peer

   Domain: toddmatthews.me
   Type:   connection
   Detail: Error getting validation data

and combing through the log file I found this:

2017-11-25 11:35:42,060:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1528
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: 5JJq73kdwHcEkBJ7x0UXeYYbNHA_fBlPcwBlc4o2fC8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Sat, 25 Nov 2017 11:35:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 25 Nov 2017 11:35:42 GMT
Connection: keep-alive

  "identifier": {
    "type": "dns",
    "value": "toddmatthews.me"
  "status": "invalid",
  "expires": "2017-12-02T11:35:35Z",
  "challenges": [
      "type": "tls-sni-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "Error getting validation data",
        "status": 400

I don’t now what X-Frame-Options: DENY means but it sounds like a firewall blockage. Here’s my ufw settings:

03 AM

It does rather look like a firewall issue (not because of X-Frame-Options: DENY, that’s just a clickjacking defence, but because of Connection reset by peer, and because I can’t connect to your port 443 - the server seems to close the connection). Are you sure there isn’t some other external firewall in place, besides ufw on the server itself?

What software are you using to request the certificate? What command are you running?

Thank you for the link on clickjacking!

The command I’m running is sudo certbot --nginx --staging I’m adding the staging argument because I already learned the hard way about making 5 failed attempts:slight_smile:

In my several attempts I’ve also tried this command: sudo certbot --nginx -d toddmatthews.me -d www.toddmatthews.me

I installed the software with sudo apt-get install python-certbot-nginx and added that with
sudo add-apt-repository ppa:certbot/certbot

I also previously tried removing fail2ban. I have reinstalled it but haven’t touched the config.

I also checked Digital Ocean’s firewall settings through their UI and I don’t have any setup as shown here:

Ufw was the only firewall I setup after OS installation. Hmmm

Okay, well that suggests one possible approach - can you get nginx to respond on port 443, even with a dummy / self signed cert? (Normally it shouldn’t be necessary to do so, as certbot should configure it automatically, but it could help eliminate any firewall issues).

Another possible thing to check is whether fail2ban left behind any residual configuration when you uninstalled it. I don’t know how it works but I’ve made that mistake with denyhosts (which is similar) in the past - it left some banned IPs in my /etc/hosts.deny that I had to clean up manually.

I finally got things going. There’s a step that somehow I didn’t have to do last time I obtained a cert but this time it made a difference. Using this Digital Ocean support doc I had not setup the WebRoot plugin which did the trick this time.

Thank you for all the help!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.