I´ve followed the excellent tutorial: "The Perfect Server - Debian 10 (Nginx, BIND, Dovecot, ISPConfig 3.1)" and almost everything runned fine, except in the part where ISPConfig runs acme.sh to issue the certificate. It gives an error: "Verify error:Fetching http://debian10.mydomain.com/.well-known/acme-challenge/xbtyIhFqLmguqTKHLEx-4AJ4iJDn3vnVs86pyDLydQ8: Connection refused". It says also that I need to check if my hostname can be verified by letsencrypt and because of that error it fall-back to a self-signed certificate. In fact, that domain really is not accessible when browsing in Chrome, it shows the same error: "Connection refused". But the domain, and its subdomain was already active and configured in the DNS table, so it is completely accessible. What can I do to unblock that url in order to letsencrypt verify the domain and issue the certificate correctly? Note: I am using ISPConfig 3.2.
Is the DNS for that FQDN pointing to the correct server? Any firewall rules that are blocking connections on port 80?
Yes, the DNS is pointing to the correct server and the iptables don´t have any rules blocking port 80.
The url http://debian10.mydomain.com should give you the nginx default page and not a connection refused. Double-check that it points to the right server and ensure that you did not block port 80 with a firewall.
You might also want to run the test script and post the results: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
http://debian10.mydomain.com shows me a Forbidden Nginx page and https://debian10.mydomain.com shows me an ERR_CONNECTION_REFUSED. It only shows the Nginx default page if I create one site on ISPConfig with that domain. I was thinking that this (refuse the connection, when no site with this domain exists) would be the default behavior. Cause let that page open would be a security issue... But, if you are telling me that the page should appear, so this is not the case. However, somt
See the test results: Code: [WARN] I found no "submission" entry in your postfix master.cf Compare what you have in master.cf to Perfect Server Guide and fix it. Host has 1 GB RAM and 1 GB swap. Swap is full. I would add more swap, 3GB for example to avoid running out of memory.
Postfix doesn´t interest me cause I gonna use an external email service. Is this a problem anyway? I´ve already add more swap (3GB) and upgraded my Digital Ocean plan to 2GB memory. But I cannot see what this could affect or resolve the letsencrypt error... In fact, the error persists.
Nginx shows the default page then normally, it does not refuse the connection. Try this: Run this command as root user: touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt Then open this url in the browser, it should work without an error and give you a blank page: http://debian10.mydomain.com/.well-known/acme-challenge/test.txt and also test the ip like this: http://192.168.0.100/.well-known/acme-challenge/test.txt
I did the test. For http://debian10.mydomain.com/.well-known/acme-challenge/test.txt it worked and showed the blank page. For https://debian10.mydomain.com/.well-known/acme-challenge/test.txt, it doesn´t work and showed an ERR_CONNECTION_REFUSED page. For http://192.168.0.100/.well-known/acme-challenge/test.txt, it doesn´t work as well and showed an Nginx Not Found page. For https://192.168.0.100/.well-known/acme-challenge/test.txt, it doesn´t work and showed an ERR_CONNECTION_REFUSED page. *I replaced the domain and ip with my real ones. It seems some kind of firewall block... I´m wondering if Digital Ocean is blocking some port in their end... I know that they block the email ports by default, but I don´t want to use the server email anyway, I´m not bothering in ask them to unblock these. However, SSL port are different, though I researched in Google and don´t found any evidence of Digital Ocean blocking HTTPS ports in their end. But, I think I will open a ticket just to ask them... Any other ideas?
That https is inacessible is ok at this stage as nginx is not listening on https before a cert is issued, if you look at the original error, it says that http:// is not working and according to your latest tests, http://debian10.mydomain.com/.well-known/acme-challenge/test.txt works. So it's strange that acme.sh says that it can't access the token there. I guess I'll have to make a test install tomorrow to see if something has changed in acme.sh or needs to be changed in ISPConfig.
Your test results show nginx is not listening on port 443, which will cause a connection refused when you try to connect there.
Strange, isn´t it? I thougth the same, because in your tutorial, you let it clear that the certificate will be assigned without any problems. And I followed the tutorial with care. In fact, I did it twice, to make sure that I didn´t make any mess in some step... But, the result was the same on both. if you discover something new, let us know!
