LettuceEncrypt: Failed to validate ownership of domainName

I’m trying to setup Lets Encrypt on my server, and all the time I get this error:

Apr 18 20:51:51 prestaservi.net dotnet-example[6746]: [20:51:51 DBG] Confirmed challenge request for GIf5_w2zI80eTzMBnBYTHr7fu0hjHVxOLmefkKQGKbg
Apr 18 20:51:51 prestaservi.net dotnet-example[6746]: [20:51:51 DBG] Confirmed challenge request for GIf5_w2zI80eTzMBnBYTHr7fu0hjHVxOLmefkKQGKbg
Apr 18 20:51:53 prestaservi.net dotnet-example[6746]: [20:51:53 ERR] Failed to validate ownership of domainName 'prestaservi.net'. Reason: urn:ietf:params:acme:error:connection: Fetching http://prestaservi.net/.well-known/acme-challenge/zt1_DaK9LlMgueAyn4FNAOKLABFX_mi02lQTWEhx9aI: Connection refused, Code = BadRequest
Apr 18 20:51:53 prestaservi.net dotnet-example[6746]: [20:51:53 ERR] Failed to validate ownership of domainName 'www.prestaservi.net'. Reason: urn:ietf:params:acme:error:connection: During secondary validation: Fetching http://www.prestaservi.net/.well-known/acme-challenge/GIf5_w2zI80eTzMBnBYTHr7fu0hjHVxOLmefkKQGKbg: Connection refused, Code = BadRequest

My domain (prestaservi.net) points to my server’s ip. I also added UseStaticFiles() with file provider pointing to a folder (.well-known) created in the server root directory.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 4
  • Comments: 25 (10 by maintainers)

Most upvoted comments

I retract my last comment - it was a problem with my setup and not with this library. I was running it behind a docker container and did not have ENV ASPNETCORE_URLS="https://+;http://+"

I have now set that and it works (even with HttpsRedirection).

+3
andrewjsaid on May 24, 2020

This error can occur for reasons beyond the control of this library, but there could also be bugs in this library. In the HTTP-01 challenge, Let’s Encrypt’s CA servers are attempting to send a HTTP request to your host. If you Google “urn:ietf:params:acme:error:connection: Connection refused”, you’ll find lots of posts related to this subject as this is a common problem with the HTTP-01 challenge. Here are some common causes:

  • Your server hasn’t exposed port 80 to the internet. Some firewall or ISP is blocking this incoming request.
  • Your server is taking HTTP traffic, but not on port 80 (ACME protocol does not allow using any other port for the HTTP-01 challenge)
  • Your DNS or IP addresses aren’t configured correctly to accept incoming traffic.
  • You server hasn’t started accepting traffic yet, although this should have been addressed in the 0.5.0 update with this fix: https://github.com/natemcmaster/LettuceEncrypt/pull/74

There may be other bugs in this library causing the problem, which I haven’t identified yet. This is part of why I implemented the TLS-ALPN-01 challenge as well #76. LettuceEncrypt will attempt to use both TLS-ALPN-01 and HTTP-01. Successful verification of either is sufficient. Note: using TLS-ALPN-01 requires serving HTTPS on port 443.

  Using account [is this supposed to be secret?]

@Donistivanov - try also adding an HTTPS port on 443. Also, the account ID with Let’s Encrypt doesn’t need to be secret. You authenticate to this account with a private key which is stored using the IAccountStore interface (by default, put into a folder in AppContext.BaseDirectory.

@andrewjsaid - thanks for the update. I’m assuming this means the TLS-ALPN-01 challenge worked, but there may still be issues with HTTP-01.

+1
natemcmaster on May 24, 2020
Read more comments on GitHub
← LettuceEncrypt: Can not find issuer for staging server
microsite: Hydration fails when a component is used on multiple pages →