Using acme.sh my certificate will not renew, replys connection refused

brentlh · December 10, 2021, 5:09pm

I ran this command:
/root/.acme.sh/acme.sh --renew -d orders.newtonpro.com --force

It produced this output:
[Fri Dec 10 10:44:20 CST 2021] Renew: 'orders.newtonpro.com'
[Fri Dec 10 10:44:25 CST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Dec 10 10:44:27 CST 2021] Single domain='orders.newtonpro.com'
[Fri Dec 10 10:44:28 CST 2021] Getting domain auth token for each domain
[Fri Dec 10 10:44:37 CST 2021] Getting webroot for domain='orders.newtonpro.com'
[Fri Dec 10 10:44:40 CST 2021] Verifying: orders.newtonpro.com
[Fri Dec 10 10:44:44 CST 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Fri Dec 10 10:44:49 CST 2021] orders.newtonpro.com:Verify error:Fetching http://orders.newtonpro.com/.well-known/acme-challenge/_XjEvCItIeOYrFWxEzZaB4yPGCTQH1EW8BIyHS0jvP8: Connection refused
[Fri Dec 10 10:44:50 CST 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log

My web server is (include version):
Server version: Apache/2.4.23 (Linux/SUSE)
Server built: 2019-08-22 13:36:51.000000000 +0000

The operating system my web server runs on is (include version): Just upgraded to
SLES 12 SP5

My hosting provider, if applicable, is: Self Hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
/acme.sh v3.0.2

petercooperjr · December 10, 2021, 5:15pm

The message means what it says, you're trying to request a certificate for orders.newtonpro.com but connection attempts to it are being refused. I can't get to it either.

$ curl http://orders.newtonpro.com/.well-known/acme-challenge/test
curl: (7) Failed to connect to orders.newtonpro.com port 80 after 33 ms: Connection refused

So, either the server doesn't have the web server running, or there's some firewall in front of it that is blocking the connection. In order to use HTTP-01 authentication to get a certificate, you need to have your http site working first.

brentlh · December 10, 2021, 6:06pm

Peter,

The web server was running before a power outage on Monday. Then after it came up after the outage the website was unreachable. I have been trying to get a newer version of SLES installed, and now have it at SLES12 SP5. I will try again after I am able to get to the webserver again. Thanks for your input, as I had forgot that the process requires the Letsencrypt server has to talk to the server the certificate is being issued / renewed for.

Have a great day!

Brent

rg305 · December 10, 2021, 6:26pm

I'd start unraveling this Apache mess with:
sudo apachectl -t -D DUMP_VHOSTS

Also, using --force won't make a broken system work.

brentlh · December 13, 2021, 11:46pm

Using your suggestion I was able to unravel the Apache2 issues the upgrade was not able to fix in my configuration. I was then able to renew the certificate normally. Thanks for help!

system · January 12, 2022, 11:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.