Question
Connection refused to NodeJs/GraphQL App (droplet) and unable to renew Letsencrypt certificates
- Posted on September 17, 2021
- Node.jsDigitalOcean DropletsGraphQLLet's EncryptNginx
Asked by Ros110
I received this email from Let’s Encrypt Team:
"Your certificate (or certificates) for the names listed below will expire in 0 days (on 15 Sep 21 13:50 +0000). Please make sure to renew your certificate before then, or visitors to your web site will encounter errors.
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let’s Encrypt’s current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
eloo-api.hoofdindewolken.nl eloo.hoofdindewolken.nl
I tried to renew the SSL certificates, but there are errors:
root@dokku-ubuntu-s-1vcpu-1gb-ams3-01:~# dokku letsencrypt:auto-renew eloo-backend
eloo-backend
=====> Auto-renew eloo-backend...
=====> Enabling letsencrypt for eloo-backend
-----> Enabling ACME proxy for eloo-backend...
Reloading nginx configuration (via systemctl): nginx.service.
-----> Getting letsencrypt certificate for eloo-backend...
- Domain 'eloo.hoofdindewolken.nl'
- Domain 'eloo-api.hoofdindewolken.nl'
2021/09/15 19:05:41 No key found for account richard@hoofdindewolken.nl. Generating a P256 key.
2021/09/15 19:05:41 Saved key to /certs/accounts/acme-v02.api.letsencrypt.org/richard@hoofdindewolken.nl/keys/richard@hoofdindewolken.nl.key
2021/09/15 19:05:42 [INFO] acme: Registering account for richard@hoofdindewolken.nl
!!!! HEADS UP !!!!
Your account credentials have been saved in your Let's Encrypt
configuration directory at "/certs/accounts".
You should make a secure backup of this folder now. This
configuration directory will also contain certificates and
private keys obtained from Let's Encrypt so making regular
backups of this folder is ideal.
2021/09/15 19:05:42 [INFO] [eloo.hoofdindewolken.nl, eloo-api.hoofdindewolken.nl] acme: Obtaining bundled SAN certificate
2021/09/15 19:05:43 [INFO] [eloo-api.hoofdindewolken.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/31309342400
2021/09/15 19:05:43 [INFO] [eloo.hoofdindewolken.nl] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/31309342410
2021/09/15 19:05:43 [INFO] [eloo-api.hoofdindewolken.nl] acme: Could not find solver for: tls-alpn-01
2021/09/15 19:05:43 [INFO] [eloo-api.hoofdindewolken.nl] acme: use http-01 solver
2021/09/15 19:05:43 [INFO] [eloo.hoofdindewolken.nl] acme: Could not find solver for: tls-alpn-01
2021/09/15 19:05:43 [INFO] [eloo.hoofdindewolken.nl] acme: use http-01 solver
2021/09/15 19:05:43 [INFO] [eloo-api.hoofdindewolken.nl] acme: Trying to solve HTTP-01
2021/09/15 19:05:43 [INFO] [eloo-api.hoofdindewolken.nl] Served key authentication
2021/09/15 19:05:44 [INFO] [eloo-api.hoofdindewolken.nl] Served key authentication
2021/09/15 19:05:44 [INFO] [eloo-api.hoofdindewolken.nl] Served key authentication
2021/09/15 19:05:45 [INFO] [eloo-api.hoofdindewolken.nl] Served key authentication
2021/09/15 19:05:49 [INFO] [eloo-api.hoofdindewolken.nl] The server validated our request
2021/09/15 19:05:49 [INFO] [eloo.hoofdindewolken.nl] acme: Trying to solve HTTP-01
2021/09/15 19:05:57 [INFO] Skipping deactivating of valid auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/31309342400
2021/09/15 19:05:57 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/31309342410
2021/09/15 19:05:57 Could not obtain certificates:
error: one or more domains had a problem:
[eloo.hoofdindewolken.nl] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://eloo.hoofdindewolken.nl/.well-known/acme-challenge/LnZdHab96VAV4fvIhnNBicce7rKPH7IVXjvTT5-mjms [76.76.21.21]: 404
-----> Certificate retrieval failed!
-----> Disabling ACME proxy for eloo-backend...
Reloading nginx configuration (via systemctl): nginx.service.
! Failed to setup letsencrypt
Check log output for further information on failure
As a result my site can’t be loaded because:
POST https://eloo-api.hoofdindewolken.nl/api/graphql gives net::ERR_CERT_DATE_INVALID.
I tried some things, and as a result the error at https://eloo.hoofdindewolken.nl/ changed to net::ERR_CONNECTION_REFUSED. Still, I am unable to renew the certificates.
Also status nginx gives:
● nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2021-06-09 15:24:54 UTC; 3 months 8 days ago
Docs: man:nginx(8)
Process: 192440 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=0/SUCCESS)
Main PID: 1705882 (nginx)
Tasks: 2 (limit: 1137)
Memory: 5.9M
CGroup: /system.slice/nginx.service
├─ 192441 nginx: worker process
└─1705882 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
Sep 16 08:12:20 dokku-ubuntu-s-1vcpu-1gb-ams3-01 nginx[192062]: nginx: [warn] conflicting server name "eloo.hoofdindewolken.nl" on 0.0.0.0:80, ignored
Sep 16 08:12:20 dokku-ubuntu-s-1vcpu-1gb-ams3-01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
Sep 16 08:12:43 dokku-ubuntu-s-1vcpu-1gb-ams3-01 systemd[1]: Reloading A high performance web server and a reverse proxy server.
Sep 16 08:12:43 dokku-ubuntu-s-1vcpu-1gb-ams3-01 nginx[192241]: nginx: [warn] conflicting server name "eloo.hoofdindewolken.nl" on [::]:80, ignored
Sep 16 08:12:43 dokku-ubuntu-s-1vcpu-1gb-ams3-01 nginx[192241]: nginx: [warn] conflicting server name "eloo.hoofdindewolken.nl" on 0.0.0.0:80, ignored
Sep 16 08:12:43 dokku-ubuntu-s-1vcpu-1gb-ams3-01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
Sep 16 08:12:59 dokku-ubuntu-s-1vcpu-1gb-ams3-01 systemd[1]: Reloading A high performance web server and a reverse proxy server.
Sep 16 08:12:59 dokku-ubuntu-s-1vcpu-1gb-ams3-01 nginx[192440]: nginx: [warn] conflicting server name "eloo.hoofdindewolken.nl" on [::]:80, ignored
Sep 16 08:12:59 dokku-ubuntu-s-1vcpu-1gb-ams3-01 nginx[192440]: nginx: [warn] conflicting server name "eloo.hoofdindewolken.nl" on 0.0.0.0:80, ignored
Sep 16 08:12:59 dokku-ubuntu-s-1vcpu-1gb-ams3-01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Get our biweekly newsletter
Sign up for Infrastructure as a Newsletter.
Hollie's Hub for Good
Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.
Become a contributor
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Hello,
The error messages you’re encountering indicate a couple of issues with renewing Let’s Encrypt certificates and your Nginx configuration. Let’s break down the issues and potential solutions:
1. Let’s Encrypt Renewal Issue
The main problem seems to be with renewing the Let’s Encrypt certificates for your domains
eloo.hoofdindewolken.nlandeloo-api.hoofdindewolken.nl. The erroracme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://eloo.hoofdindewolken.nl/.well-known/acme-challenge/... [76.76.21.21]: 404suggests that the ACME challenge requests by Let’s Encrypt to your server are not being served correctly, resulting in a 404 Not Found error.Possible Solutions:
Verify Domain Configuration: Ensure that both domains
eloo.hoofdindewolken.nlandeloo-api.hoofdindewolken.nlare correctly pointing to your server’s IP address in DNS settings.Check Nginx Configuration: Ensure that Nginx is correctly configured to serve files from the
/.well-known/acme-challenge/directory. This is where Let’s Encrypt expects to find the files for the HTTP-01 challenge.Firewall Settings: Check if any firewall settings might be blocking access to the
/.well-known/acme-challenge/directory.Manual Test: You can test this by placing a test file in the
/.well-known/acme-challenge/directory and trying to access it via your browser.2. Nginx Configuration Warning
The Nginx warning
conflicting server name "eloo.hoofdindewolken.nl" on 0.0.0.0:80, ignoredsuggests that there are multiple server blocks or configurations for the same domain name. This could be causing some of the issues you’re experiencing.Possible Solutions:
Review Nginx Configs: Check all your Nginx configuration files for duplicate server blocks or listen directives for the same domain. This includes checking sites-enabled, conf.d directory, and the nginx.conf file.
Remove Duplicates: If you find duplicate configurations for the same domain, consolidate them into a single server block or remove the unnecessary duplicates.
Reload Nginx: After making changes, don’t forget to reload Nginx to apply the changes (
sudo nginx -tto test configuration andsudo systemctl reload nginxto apply changes).3. Connection Refused Error
The
net::ERR_CONNECTION_REFUSEDerror indicates that the browser is unable to establish a connection to your server. This could be due to Nginx not running or not being properly configured to accept connections for your domain.Possible Solutions:
Check Nginx Service: Ensure Nginx is running (
sudo systemctl status nginx).Server Block Configuration: Ensure the server block for your domain is correctly configured to listen on the right port and has the correct server_name.
SSL/TLS Configuration: Since your SSL certificate is expired, consider temporarily disabling HTTPS redirection (if any) to troubleshoot the issue without SSL complications.
Best,
Bobby