Cannot validate SSL

I’m trying to install a Let’s Encrypt certificate for my server’s host domain. Under Web Domain, I check “Enable SSL for this domain” and click save. After about 30 seconds I get this error:

Error: Let’s Encrypt validation status 400 (hestia.imago-home.co.za). Details: 400:“169.159.156.60: Fetching http://www.hestia.imago-home.co.za/.well-known/acme-challenge/QNFYmrKjMF44VaD1Q7vxR4uLYiB-8-wEr33nwLZgqEE: Connection refused”

My setup is as follows:

I have a local server connected to a LAN, behind a TP-Link router. The router is configured to forward various ports to the server’s IP address, including ports 80 and 443.

I have configured the necessary A records on the DNS (using bunny.net, not my local machine for the DNS).

I assume that there is a problem accessing port 80, which, I understand is used by acme challenge. My troubleshooting reveals the following:

So it seems that somewhere along the line the server is redirecting port 80 to port 443 and I assume that is why acme challenge can’t validate the certificate.

Any help would be greatly appreciated!

That’s your main problem you are blocking port 80 or you are not forwarding correctly to your server.

It is “redirected” by the browser not by your server and that is because your server is timing out when trying to connect to port 80 so the browser tries to connect to https (443) but here your server yes, is redirecting from https to http and again, time out.

$ curl -IkL http://hestia.imago-home.co.za/.well-known/acme-challenge/test
curl: (7) Failed to connect to hestia.imago-home.co.za port 80 after 259 ms: Connection refused

$ curl -IkL https://hestia.imago-home.co.za/.well-known/acme-challenge/test
HTTP/2 301
server: nginx
date: Mon, 13 May 2024 19:42:21 GMT
content-type: text/html
content-length: 162
location: http://hestia.imago-home.co.za/.well-known/acme-challenge/test

curl: (7) Failed to connect to hestia.imago-home.co.za port 80 after 208 ms: Connection refused

No, the problem is your firewall/router blocking/not forwarding port 80.

1 Like

Thank you, @sahsanu, that has helped me to solve the problem. In case anyone is having a similar issue, it might help to state how I was able to solve it.

I am using a TP-Link router which allows for the creation of virtual servers (aka port forwarding). I followed the steps of reassigning the router’s interface to a different port (its default is port 80), and I created a virtual server for port 80, but port 80 was still blocked. I had to disable remote access to the router in order to allow incoming connections to port 80. Once I had done that, the port was opened and I was able to issue Let’s Encrypt certificates from the Hestia panel.

1 Like