Let´s Encrypt failing to verify hostname

Discussion in 'ISPConfig 3 Priority Support' started by Edson Correia, Jan 24, 2021.

  1. Edson Correia

    Edson Correia New Member

    I´ve followed the excellent tutorial: "The Perfect Server - Debian 10 (Nginx, BIND, Dovecot, ISPConfig 3.1)" and almost everything runned fine, except in the part where ISPConfig runs acme.sh to issue the certificate. It gives an error: "Verify error:Fetching http://debian10.mydomain.com/.well-known/acme-challenge/xbtyIhFqLmguqTKHLEx-4AJ4iJDn3vnVs86pyDLydQ8: Connection refused". It says also that I need to check if my hostname can be verified by letsencrypt and because of that error it fall-back to a self-signed certificate.

    In fact, that domain really is not accessible when browsing in Chrome, it shows the same error: "Connection refused". But the domain, and its subdomain was already active and configured in the DNS table, so it is completely accessible.

    What can I do to unblock that url in order to letsencrypt verify the domain and issue the certificate correctly?

    Note: I am using ISPConfig 3.2.
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Is the DNS for that FQDN pointing to the correct server? Any firewall rules that are blocking connections on port 80?
     
  3. Edson Correia

    Edson Correia New Member

    Yes, the DNS is pointing to the correct server and the iptables don´t have any rules blocking port 80.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The url http://debian10.mydomain.com should give you the nginx default page and not a connection refused. Double-check that it points to the right server and ensure that you did not block port 80 with a firewall.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

  6. Edson Correia

    Edson Correia New Member

    http://debian10.mydomain.com shows me a Forbidden Nginx page and https://debian10.mydomain.com shows me an ERR_CONNECTION_REFUSED.

    It only shows the Nginx default page if I create one site on ISPConfig with that domain. I was thinking that this (refuse the connection, when no site with this domain exists) would be the default behavior. Cause let that page open would be a security issue... But, if you are telling me that the page should appear, so this is not the case.

    However, somt
     
  7. Edson Correia

    Edson Correia New Member

    Attached Files:

  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    See the test results:
    Code:
    [WARN] I found no "submission" entry in your postfix master.cf
    Compare what you have in master.cf to Perfect Server Guide and fix it.
    Host has 1 GB RAM and 1 GB swap. Swap is full. I would add more swap, 3GB for example to avoid running out of memory.
     
  9. Edson Correia

    Edson Correia New Member

    Postfix doesn´t interest me cause I gonna use an external email service. Is this a problem anyway?

    I´ve already add more swap (3GB) and upgraded my Digital Ocean plan to 2GB memory. But I cannot see what this could affect or resolve the letsencrypt error... In fact, the error persists.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Nginx shows the default page then normally, it does not refuse the connection.


    Try this: Run this command as root user:

    touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt

    Then open this url in the browser, it should work without an error and give you a blank page:

    http://debian10.mydomain.com/.well-known/acme-challenge/test.txt

    and also test the ip like this:

    http://192.168.0.100/.well-known/acme-challenge/test.txt
     
  11. Edson Correia

    Edson Correia New Member

    I did the test.
    For http://debian10.mydomain.com/.well-known/acme-challenge/test.txt it worked and showed the blank page.

    For https://debian10.mydomain.com/.well-known/acme-challenge/test.txt, it doesn´t work and showed an ERR_CONNECTION_REFUSED page.

    For http://192.168.0.100/.well-known/acme-challenge/test.txt, it doesn´t work as well and showed an Nginx Not Found page.

    For https://192.168.0.100/.well-known/acme-challenge/test.txt, it doesn´t work and showed an ERR_CONNECTION_REFUSED page.

    *I replaced the domain and ip with my real ones.

    It seems some kind of firewall block... I´m wondering if Digital Ocean is blocking some port in their end... I know that they block the email ports by default, but I don´t want to use the server email anyway, I´m not bothering in ask them to unblock these. However, SSL port are different, though I researched in Google and don´t found any evidence of Digital Ocean blocking HTTPS ports in their end. But, I think I will open a ticket just to ask them...

    Any other ideas?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    That https is inacessible is ok at this stage as nginx is not listening on https before a cert is issued, if you look at the original error, it says that http:// is not working and according to your latest tests, http://debian10.mydomain.com/.well-known/acme-challenge/test.txt works. So it's strange that acme.sh says that it can't access the token there. I guess I'll have to make a test install tomorrow to see if something has changed in acme.sh or needs to be changed in ISPConfig.
     
  13. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Your test results show nginx is not listening on port 443, which will cause a connection refused when you try to connect there.
     
  14. Edson Correia

    Edson Correia New Member

    I´ve opened a ticket on Digital Ocean. Let´s see what they say...
     
  15. Edson Correia

    Edson Correia New Member

    Strange, isn´t it? I thougth the same, because in your tutorial, you let it clear that the certificate will be assigned without any problems. And I followed the tutorial with care. In fact, I did it twice, to make sure that I didn´t make any mess in some step... But, the result was the same on both.

    if you discover something new, let us know!
     

Share This Page