Solution to random Let's Encrypt Certbot Connection refused / Invalid response Authorization Errors

Since I upgraded my Certbot from version 1.7.0 to 1.11.0, I was getting different errors with different domain names when executing certbot renew command.

When renewing webfoobar.com:

  
certbot renew --cert-name webfoobar.com --dry-run
  

I get Invalid response AuthorizationError:

  
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/webfoobar.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Running pre-hook command: service nginx stop
Error output from pre-hook command service:
Redirecting to /bin/systemctl stop nginx.service

Simulating renewal of an existing certificate for webfoobar.com and www.webfoobar.com
Performing the following challenges:
http-01 challenge for webfoobar.com
http-01 challenge for www.webfoobar.com
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain webfoobar.com
Challenge failed for domain www.webfoobar.com
http-01 challenge for webfoobar.com
http-01 challenge for www.webfoobar.com
Cleaning up challenges
Failed to renew certificate webfoobar.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/webfoobar.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: service nginx start
Error output from post-hook command service:
Redirecting to /bin/systemctl start nginx.service

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: webfoobar.com
   Type:   unauthorized
   Detail: Invalid response from
   http://webfoobar.com/.well-known/acme-challenge/sW1cig3OCrgDtMPN9Hh3J8ziTzdwJP-SqrHuQGY4hMY
   [2606:4700:3037::6815:18db]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
   <html class=\"no-js ie6 oldie\" lang=\"en-US\">
   <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

   Domain: www.webfoobar.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.webfoobar.com/.well-known/acme-challenge/-Mvi36amf9RAOBionDe-A8Jz7JPoNlTnE6Ae58yAvZw
   [2606:4700:3036::ac43:dcdb]: "<!DOCTYPE html>\n<!--[if lt IE 7]>
   <html class=\"no-js ie6 oldie\" lang=\"en-US\">
   <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
  

And when renewing the other domain test8.webfoobar.com:

  
certbot renew --cert-name test8.webfoobar.com --dry-run
  

I get Connection refused AuthorizationError:

  
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/test8.webfoobar.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Running pre-hook command: service nginx stop
Error output from pre-hook command service:
Redirecting to /bin/systemctl stop nginx.service

Simulating renewal of an existing certificate for test8.webfoobar.com
Performing the following challenges:
http-01 challenge for test8.webfoobar.com
Using the webroot path /var/www/letsencrypt for all unmatched domains.
Waiting for verification...
Challenge failed for domain test8.webfoobar.com
http-01 challenge for test8.webfoobar.com
Cleaning up challenges
Failed to renew certificate test8.webfoobar.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/test8.webfoobar.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: service nginx start
Error output from post-hook command service:
Redirecting to /bin/systemctl start nginx.service

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: test8.webfoobar.com
   Type:   connection
   Detail: Fetching
   http://test8.webfoobar.com/.well-known/acme-challenge/Zf2mCUBxHaTPQt_agLIwK69ftt3jvBfaEqJmWpYRDOc:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
  

My Nginx script for handling Let's Encrypt requests is unchanged:

  
location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/www/letsencrypt;
  default_type "text/plain";
  try_files $uri =404;
}
  

I did the basic tests like as follows but no issues found.

The IPv4 test file access:

  
curl -IkL4   http://webfoobar.com/.well-known/acme-challenge/test.htm
  

Returns that there's no issue accessing /.well-known/acme-challenge path:

  
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 27 Aug 2021 14:38:58 GMT
Content-Type: text/plain
Content-Length: 3
Last-Modified: Mon, 30 Mar 2020 16:25:22 GMT
Connection: keep-alive
Keep-Alive: timeout=75
ETag: "8a821d72-3"
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Options: nosniff
Cache-Control: s-maxage=10
Accept-Ranges: bytes
  

As well as the IPv6 test file access:

  
curl -IkL6   http://webfoobar.com/.well-known/acme-challenge/test.htm
  

Returns that there's no issue accessing /.well-known/acme-challenge path also:

  
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 27 Aug 2021 14:39:19 GMT
Content-Type: text/plain
Content-Length: 3
Last-Modified: Mon, 30 Mar 2020 16:25:22 GMT
Connection: keep-alive
Keep-Alive: timeout=75
ETag: "8a821d72-3"
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Options: nosniff
Cache-Control: s-maxage=10
Accept-Ranges: bytes
  

Checked if the port 80 and 443 are not blocking by the firewallfor IPv4:

  
iptables -L | grep http
  

The port 80 and 443 are open.

  
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
  

Checked if the port 80 and 443 are not blocking by the firewallfor IPv6:

  
ip6tables -L | grep http
  

The port 80 and 443 are open as well.

  
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
  

Checked if Nginx is listening to port 80 and 443:

  
netstat -pant | grep -i nginx
  

No issue in Nginx as well as it is listening to port 80 and 443:

  
tcp        0      0 104.21.24.219:80       0.0.0.0:*               LISTEN      18309/nginx: master
tcp        0      0 104.21.24.219:443      0.0.0.0:*               LISTEN      18309/nginx: master
tcp6       0      0 2606:4700:3037:0:0::80 :::*                    LISTEN      18309/nginx: master
tcp6       0      0 2606:4700:3037:0:0:443 :::*                    LISTEN      18309/nginx: master
  

There were no issues found in every common tests for these Connection refused and Invalid response Authorization Errors. Analyzing it, the certbot renewal was working for several months and the only change that happened was the certbot upgraded from version 1.7.0 to 1.11.0. I setup a new server and installed Let's Encrypt certbot for Nginx and investigate the changes from version 1.7.0 to 1.11.0. I found out that in version 1.7.0 the lines that contain "post_hook" and "pre_hook" was removed in renewal configuration script.

To fix this issue, open the renewal configuration script:

  
vi /etc/letsencrypt/renewal/webfoobar.com.conf
  

Then remove or comment the lines that contains "post_hook" and "pre_hook":

  
# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/webfoobar.com
cert = /etc/letsencrypt/live/webfoobar.com/cert.pem
privkey = /etc/letsencrypt/live/webfoobar.com/privkey.pem
chain = /etc/letsencrypt/live/webfoobar.com/chain.pem
fullchain = /etc/letsencrypt/live/webfoobar.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = 8a62c56d679110288d8aeb17cbc597ed
webroot_path = /var/www/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
#post_hook = service nginx start
#pre_hook = service nginx stop
manual_public_ip_logging_ok = None
[[webroot_map]]
webfoobar.com = /var/www/letsencrypt
www.webfoobar.com = /var/www/letsencrypt
  

Do this with other domains. And test again:

  
certbot renew --cert-name webfoobar.com --dry-run
  

The output now says it is successful:

  

  
  
# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/test8.webfoobar.com
cert = /etc/letsencrypt/live/test8.webfoobar.com/cert.pem
privkey = /etc/letsencrypt/live/test8.webfoobar.com/privkey.pem
chain = /etc/letsencrypt/live/test8.webfoobar.com/chain.pem
fullchain = /etc/letsencrypt/live/test8.webfoobar.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = webroot
account = 8a62c56d679110288d8aeb17cbc597ed
webroot_path = /var/www/letsencrypt,
server = https://acme-v02.api.letsencrypt.org/directory
#post_hook = service nginx start
#pre_hook = service nginx stop
manual_public_ip_logging_ok = None
[[webroot_map]]
test8.webfoobar.com = /var/www/letsencrypt
  

Add new comment

Restricted HTML

  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type> <li> <dl> <dt> <dd> <h2 id> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.