.well-known/acme-challenge Connection refused

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: abragam.imt.kit.edu

I ran this command: sudo certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.


1: abragam.imt.kit.edu
2: www.abragam.imt.kit.edu


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for abragam.imt.kit.edu and www.abragam.imt.kit.edu

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: abragam.imt.kit.edu
Type: connection
Detail: 141.52.156.23: Fetching http://abragam.imt.kit.edu/.well-known/acme-challenge/95To-8uKY0ju0JvOETjEzuDrFeA-Eb_PEgZESyPAhcc: Connection refused

Domain: www.abragam.imt.kit.edu
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for www.abragam.imt.kit.edu - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for www.abragam.imt.kit.edu - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 22.04.4 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

Hi @jnc, and welcome to the LE community forum :slight_smile:

I see two problems:

  • all HTTP requests are unable to reach your web server
    [OR your web server is not configured to respond to HTTP requests]

  • the HTTPS port is "speaking" HTTP

curl -Ii https://abragam.imt.kit.edu
curl: (35) error:0A00010B:SSL routines::wrong version number

curl -Ii http://abragam.imt.kit.edu:443
HTTP/1.1 200 OK
Date: Tue, 02 Apr 2024 12:32:42 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Tue, 26 Mar 2024 14:24:00 GMT
ETag: "5d-614910a96ffd3"
Accept-Ranges: bytes
Content-Length: 93
Vary: Accept-Encoding
Content-Type: text/html

Let's have a look at the output of:
sudo apachectl -t -D DUMP_VHOSTS

3 Likes

Thank you very much! Here is the output for sudo apachectl -t -D DUMP_VHOSTS:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:32)
port 443 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:32)
port 443 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/default-ssl.conf:2)
*:80 is a NameVirtualHost
default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost abragam.imt.kit.edu (/etc/apache2/sites-enabled/test.conf:3)
alias www.abragam.imt.kit.edu

I figured out that there has to be some steps I need to perform which i found here

You may want to include the alias shown:

In order to do that, you will have to first update the DNS zone to resolve that name to the same IP as abragam.imt.kit.edu.

But the real problem now seems to be the lack of HTTP access to your system.

curl -Ii abragam.imt.kit.edu
curl: (56) Recv failure: Connection reset by peer

See: Let's Debug (letsdebug.net)

3 Likes

first update the DNS zone
From here?

But the real problem now seems to be the lack of HTTP access to your system.
Any advice how to fix it? I can provide my virtual host info if it is useful. Thank you.

1 Like

Step 1 in getting a cert via HTTP-01 authentication is having a working HTTP site.
Does your site work via HTTP?
Can the Internet see your HTTP site?

3 Likes

Hi, it does work via HTTP, only HTTPS is not working

It is not working for requests from the public Internet. Example

3 Likes

Supplemental information; I presently this is what I see.

$ nmap -Pn -p80,443 abragam.imt.kit.edu
Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-02 16:44 UTC
Nmap scan report for abragam.imt.kit.edu (141.52.156.23)
Host is up (0.17s latency).

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds

HTTP - Connection refused

$ curl -Ii http://abragam.imt.kit.edu/.well-known/acme-challenge/sometestfile
curl: (7) Failed to connect to abragam.imt.kit.edu port 80 after 361 ms: Connection refused

HTTPS - error:0A00010B:SSL routines::wrong version number

$ curl -k -Ii https://abragam.imt.kit.edu/.well-known/acme-challenge/sometestfile
curl: (35) error:0A00010B:SSL routines::wrong version number

http://abragam.imt.kit.edu:443/.well-known/acme-challenge/sometestfile

$ curl -Ii http://abragam.imt.kit.edu:443/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Date: Tue, 02 Apr 2024 16:48:25 GMT
Server: Apache/2.4.52 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

And from around the world

HTTP - "Connection refused"
Permanent link to this check report

HTTPS - "ssl3_get_record: wrong version number"
Permanent link to this check report

http://abragam.imt.kit.edu:443 - "OK"
Permanent link to this check report

1 Like

Thank you so much. Any guesses? What might be the issue? Why the connection keeps refusing from outside world?

1 Like

@jnc I believe you have Apache configuration issues.

Apache information can be found in documentation and forums:

Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

1 Like

Thank you very much. I figured out that the port 80 was closed by the administrators and I got the certificate now (only for abragam.imt.kit.edu and could not get the certificate for www.abragam.imt.kit.edu). However, my website is still only working with http and does not work with https. Any opinion?

1 Like

Let's start by seeing what this looks like now

sudo apachectl -t -D DUMP_VHOSTS

And, as for your www subdomain, you should add an A record in your DNS like you have for the root domain.

2 Likes
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:32)
         port 443 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:32)
         port 443 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/default-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost abragam.imt.kit.edu (/etc/apache2/sites-enabled/test.conf:3)
                 alias www.abragam.imt.kit.edu

What command did you use? Because had you used the --apache option like you showed earlier it should have created a VirtualHost for you

2 Likes

Yes, I did use

sudo certbot certonly --apache

Oh, you added the certonly option on the command. That only gets a certificate it does not configure your Apache to use it. You need to create a VirtualHost manually or try rerunning the command without that option

4 Likes

Thanks Mike. I tried both options and restarted apache.

sudo certbot --apache

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: abragam.imt.kit.edu
2: www.abragam.imt.kit.edu


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/abragam.imt.kit.edu.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for abragam.imt.kit.edu

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/abragam.imt.kit.edu/fullchain.pem
Key is saved at: /etc/letsencrypt/live/abragam.imt.kit.edu/privkey.pem
This certificate expires on 2024-07-02.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for abragam.imt.kit.edu to /etc/apache2/sites-enabled/test-le-ssl.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.

I tried with and without port 443 in my virtual host (one vs two blocks) and it looks like below with 2 blocks

<VirtualHost *:80>
        DocumentRoot "/var/www/html"
        ServerName abragam.imt.kit.edu
        ServerAlias www.abragam.imt.kit.edu
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


# Other directives here
RewriteEngine on
RewriteCond %{SERVER_NAME} =abragam.imt.kit.edu [OR]
RewriteCond %{SERVER_NAME} =www.abragam.imt.kit.edu
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>


<VirtualHost *:443>
        DocumentRoot "/var/www/html"
        ServerName abragam.imt.kit.edu
        ServerAlias www.abragam.imt.kit.edu
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined


# Other directives here
RewriteEngine on
RewriteCond %{SERVER_NAME} =abragam.imt.kit.edu [OR]
RewriteCond %{SERVER_NAME} =www.abragam.imt.kit.edu
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Abbreviated for clarity.

HTTP redirects to HTTPS:

HTTPS redirects to HTTPS: [this creates an endless loop]

That said, the HTTPS server block has no certificate with which to encrypt any traffic.
So, it likely fails to do anything.
OR
It tries to serve HTTP content on port 443.

3 Likes