[Solved] I can not get a certificate: connection refused

Please fill out the fields below so we can help you better.

My domain is: ecnd.fr, nathaly.ecnd.fr

I ran this command: certbot --apache

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: ecnd.fr
2: nathaly.ecnd.fr
3: www.ecnd.fr

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for ecnd.fr
tls-sni-01 challenge for nathaly.ecnd.fr
tls-sni-01 challenge for www.ecnd.fr
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. nathaly.ecnd.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, www.ecnd.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, ecnd.fr (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: nathaly.ecnd.fr
    Type: connection
    Detail: Connection refused

    Domain: www.ecnd.fr
    Type: connection
    Detail: Connection refused

    Domain: ecnd.fr
    Type: connection
    Detail: Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache2 2.4.18

The operating system my web server runs on is (include version): ubuntu server 16.04.3 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @nathaly,

Do you have some kind of a firewall that could be blocking connections to port 443 for these domains? When I try to connect to them myself on port 443 I also get connection refused. This usually indicates there's a firewall blocking connections. Sometimes it can be your ISP (some residential ISPs block inbound HTTPS traffic for example).

You will need to have port 443 accessible for the TLS-SNI-01 challenge that Certbot is doing to work (and also for HTTPS with Apache once you have a certificate!).

1 Like

The validation server is unable to connect to your server over HTTPS port 443 (setup via a temporary configuration created by certbot).

Make sure you have port 443 open in your firewall:

sudo ufw allow https

Also check any firewall/security groups/etc. that might be present with your ISP or cloud provider.

Or if you have any kind of load balancing / port forwarding / masquerading setup, you’ll need to make sure you forward port 443 along with port 80.

1 Like

Hello,
Excuse me but I speak very bad English, google helps me to translate !!!
I have disabled the firewall of my box and I have not yet installed a firewall on my server that I just reinstall.
On my box, ports 80 and 443 are redirected to the server.
I am surprised that you can not connect via port 443 because I had tried to do ecnd.fr:443 and I arrived directly in the folder / var / www / html / and I had the listing of the links symbolic for both sites.
I only got my domain name this morning and did the DNS registration immediately after. Can my problem come that replication on DNS is not yet effective? Between France and the USA, there is … a lot !!
I will try to use a computer out of my network to see if I have the same problem as you and try to understand why …

Sea your help!

From here in the US I get connection refused on https://ecnd.fr as well. :frowning:

I’m reluctant to blame DNS propogation because this is a new domain. I would think that I wouldn’t be able to access the website over HTTP either if this were the case. So I would indeed recommend testing and troubleshooting from other networks.

Excuse me, indeed, I just tested from a post out of my private network and I get the same answer as you.
However, in the ports.conf file, I added Listen 443 so now I have no idea how to get the connections on this port accepted.
Should I activate the SSL module and place self-signed certificates?
I’m just a beginner and this is the first time I’ve tried to configure Apache this way …

certbot typically configures Apache for you, especially during the verification phase. Your problem probably likely lies somewhere else.

However, to make debugging easier it often indeed helps to have SSL working on the Apache side. Rather than configuring SSL manually, I would suggest using http to verify your site and get a certificate and then allowing certbot to configure SSL for you.

You can instruct certbot to obtain a certificate with webroot authentication and then install it with Apache by running a command like the following:

sudo certbot -a webroot -i apache -w /var/www/html/domain1.com -d domain1.com -d www.domain.com -w /var/www/html/domain2.com -d domain2.com

Be sure and undo any manual changes you made to Apache’s SSL configuration first so certbot doesn’t get confused when it goes to set it up.

That should get you a certificate and set up SSL on the Apache side, and you can then see if port 443 really works or if there’s something else going on.

Hello,
I have good news and a bad one!
The good thing is that I have the certificates.

Blockquote Congratulations! You have successfully enabled https://ecnd.fr,
https://www.ecnd.fr, and https://nathaly.ecnd.fr
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=ecnd.fr
https://www.ssllabs.com/ssltest/analyze.html?d=www.ecnd.fr
https://www.ssllabs.com/ssltest/analyze.html?d=nathaly.ecnd.fr

The bad thing is that my server always refuses the https connections from the internet as I have seen through the links above.
It’s really weird because from my network everything works perfectly and I have the padlock in front of my different addresses.
I think that the problem comes from my box (router), I will try to restart it to test otherwise I will test by putting it in Bridge mode.

Thank you very much for your valuable and prompt assistance.

Double check the router’s firewall and port forwarding rules?

I had exceptionally disabled the firewall to do this and the routing rules are good. It is a galley and there is nothing in the logs that could help me understand. Tomorrow I’ll check all the configuration of Apache, I may have zapped a line somewhere …

Hello,
After long search, I discovered that my Internet access provider was blocking port 443 redirection on 4k fiber boxes.
It’s pretty amazing but that’s it!
I circumvented the problem by switching it to Bridge mode and adding a few routing rules to the firewall and two minutes later, I got my certificates by putting the command quite simple:
sudo certbot --apache

Thank you

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.