LetsEncrypt cannot connect to domain + ERR_CONNECTION_REFUSED

May 24, 2017 3.6k views
Let's Encrypt DigitalOcean Getting Started Nginx DNS Firewall Ubuntu Ubuntu 16.04
julsgud
By:
julsgud

Unable to connect to server after following this setup tutorial for nginx with ssl over http2 on my Ubuntu droplet.

DNS records at Namecheap.com are set to Custom DNS pointing to:
ns1.digitalocean.com
ns2.digitalocean.com
ns3.digitalocean.com

I have the following records at the Domain Name Control Panel @ Digital Ocean Droplet:
type / hostname / value /ttl
A - *.plasticsrev.club - 104.131.129.214 - 3600
A - plasticsrev.club - 104.131.129.214 - 3600
NS - plasticsrev.club - ns1.digitalocean.com - 1800
NS - plasticsrev.club - ns2.digitalocean.com - 1800
NS - plasticsrev.club - ns3.digitalocean.com - 1800

Ping test for plasticsrev.club:

PING plasticsrev.club (104.131.129.214): 56 data bytes
64 bytes from 104.131.129.214: icmp_seq=0 ttl=57 time=51.727 ms
64 bytes from 104.131.129.214: icmp_seq=1 ttl=57 time=52.775 ms
64 bytes from 104.131.129.214: icmp_seq=2 ttl=57 time=54.574 ms
64 bytes from 104.131.129.214: icmp_seq=3 ttl=57 time=53.471 ms
64 bytes from 104.131.129.214: icmp_seq=4 ttl=57 time=56.712 ms
64 bytes from 104.131.129.214: icmp_seq=5 ttl=57 time=53.874 ms

--- plasticsrev.club ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 51.727/53.856/56.712/1.556 mscode

Ping test for www.plasticsrev.club:

PING www.plasticsrev.club (104.131.129.214): 56 data bytes
64 bytes from 104.131.129.214: icmp_seq=0 ttl=57 time=52.069 ms
64 bytes from 104.131.129.214: icmp_seq=1 ttl=57 time=52.484 ms
64 bytes from 104.131.129.214: icmp_seq=2 ttl=57 time=53.466 ms
64 bytes from 104.131.129.214: icmp_seq=3 ttl=57 time=54.178 ms
64 bytes from 104.131.129.214: icmp_seq=4 ttl=57 time=53.623 ms
64 bytes from 104.131.129.214: icmp_seq=5 ttl=57 time=50.825 ms

--- www.plasticsrev.club ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 50.825/52.774/54.178/1.122 ms

Nginx config file /etc/nginx/sites-available/default :

server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name plasticsrev.club www.plasticsrev.club;

        location ~ /.well-known {
                allow all;
        }

When I run $ sudo ufw status I get: Status: inactive.

Thanks for your help!

Log In to Comment
3 Answers
jtittle1 May 25, 2017

@julsgud

We'd need to see the full server block to take a look at the configuration. It looks like the one you've posted has been cut off :-).

Also, please run the following command and post the output in a code block as well:

tail -20 /var/log/nginx/error.log
Reply
julsgud May 25, 2017

Hey! Thanks for your response!

I get the following when doing sudo tail -20 /var/log/nginx/error.log

2017/05/24 16:37:33 [emerg] 29864#29864: unexpected "}" in /etc/nginx/sites-enabled/default:68
2017/05/24 16:49:39 [error] 29898#29898: *1 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 187.234.204.41, server: 0.0.0.0:443

Here is my full /etc/nginx/sites-enabled/default file:

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
server {
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;

        # SSL configuration
        #
        # listen 443 ssl default_server;
        # listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        #
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        #
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        #
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name plasticsrev.club www.plasticsrev.club;

        location ~ /.well-known {
                allow all;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #
        #       # With php7.0-cgi alone:
        #       fastcgi_pass 127.0.0.1:9000;
        #       # With php7.0-fpm:
        #       fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #       deny all;
        #}
}

# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#       listen 80;
#       listen [::]:80;
#
#       server_name example.com;
#
#       root /var/www/example.com;
#       index index.html;
#
#       location / {
#               try_files $uri $uri/ =404;
#       }
#}

Can't see where that extra '}' appears!

Reply
jtittle1 May 25, 2017

@julsgud

First, I'd recommend cleaning up the file and getting rid of all the commented directives that you don't need. That'd leave us with:

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /var/www/html;

    index index.html index.htm index.php index.nginx-debian.html;

    server_name plasticsrev.club www.plasticsrev.club;

    location ~ /.well-known {
        allow all;
    }
}

Now, the first issue depends on if you have other configurations (server blocks) in the same directory as this one. If you do and you've modified them, we'd need to look at them too.

The second issue is that you've not actually setup SSL for this domain. You're not defining the path to the SSL Certificate, you're missing the SSL configuration, and there's no redirect to push requests on port 80 to 443 so that all traffic gets served over SSL.

There's also the default location block missing to tell how to handle incoming requests.

To properly serve content over SSL, you'd want to use something such as what I'm showing below, which has been customized for your domain, so it's basically a copy and paste. You'd paste all of this in to a single file.

server {
    listen 80;
    listen [::]:80;
    server_name plasticsrev.club www.plasticsrev.club;

    location ~ /.well-known {
        allow all;
    }

    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    server_name plasticsrev.club www.plasticsrev.club;

    root /var/www/html;

    index index.html index.htm index.php index.nginx-debian.html;

    ssl on;
    ssl_certificate /etc/nginx/ssl/star_forgott_com.crt;
    ssl_certificate_key /etc/nginx/ssl/star_forgott_com.key;

    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    #ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:50m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_session_tickets off;
    ssl_session_timeout 5m;

    location / {
        try_files $uri $uri/ /index.php?$args;
    }
}

You'd need to modify these two lines:

    ssl_certificate /etc/nginx/ssl/star_forgott_com.crt;
    ssl_certificate_key /etc/nginx/ssl/star_forgott_com.key;

... and replace the paths to match the location of your certificate and private key. The location block I have setup is just a starter. What you'd actually use depends on the type of site you're hosting. We can modify that as needed.

Reply
  • julsgud May 29, 2017

    Thanks for your response! I am actually trying to complete the SSL certification through LetsEncrypt because of simplicity. I edited my nginx config files as you mentioned but upon attempting to create the ssl, the authorization procedure fails. I get the following as an output for sudo certbot certonly --webroot --webroot-path=/var/www/html -d plasticsrev.club -d www.plasticsrev.club:

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for plasticsrev.club
http-01 challenge for www.plasticsrev.club
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. plasticsrev.club (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to plasticsrev.club, www.plasticsrev.club (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to plasticsrev.club

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: plasticsrev.club
   Type:   connection
   Detail: Could not connect to plasticsrev.club

   Domain: www.plasticsrev.club
   Type:   connection
   Detail: Could not connect to plasticsrev.club

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

    Any tips on how to complete this will be greatly appreciated!

Have another answer? Share your knowledge.

Related Questions