Certbot not working: connection refused

[Niek]

Trying to enable certbot, but I get this error (on LetsEncrypt, but ZeroSSL has the same issue):

[CERTBOT] 08/15/23 14:09:07 [DEBUG]: [not_found] Request new certificate for -DOMAIN-
[CERTBOT] 08/15/23 14:09:08 [INFO]: Account registered.
[CERTBOT] 08/15/23 14:09:08 [WARN]: Saving debug log to /var/log/letsencrypt/letsencrypt.log
[CERTBOT] 08/15/23 14:09:08 [INFO]: Requesting a certificate for -DOMAIN-
[CERTBOT] 08/15/23 14:09:10 [WARN]: Some challenges have failed.
[CERTBOT] 08/15/23 14:09:10 [WARN]: Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[CERTBOT] 08/15/23 14:09:10 [INFO]: Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
[CERTBOT] 08/15/23 14:09:10 [INFO]:   Domain: -DOMAIN-
[CERTBOT] 08/15/23 14:09:10 [INFO]:   Type:   connection
[CERTBOT] 08/15/23 14:09:10 [INFO]:   Detail: 49.13.73.162: Fetching http://-DOMAIN-/.well-known/acme-challenge/fXpTY0iMRtl5GuLhg07-uBv75L9NTJrCSDUfJr82zL8: Connection refused
[CERTBOT] 08/15/23 14:09:10 [INFO]:
[CERTBOT] 08/15/23 14:09:10 [INFO]: Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 2080. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
[CERTBOT] 08/15/23 14:09:10 [INFO]:
[CERTBOT] 08/15/23 14:09:10 [DEBUG]: Freeze issuing ssl for -DOMAIN- due failure. The certificate is not_found

(domain redacted to -DOMAIN-)

This is when running :master, :latest does not seem to spawn port 443 at all.

[byjg]

Yes, master is the development version and it means is "latest" one.

It seems the labels defined are wrong because it is getting -DOMAIN- instead of the proper domain name to get the certificate.

Could you share your docker-compose file?

[Niek]

The actual domain was there, I just censored it in the message.

[byjg]

OK. I apologize for that. :) So, may I have your docker-compose with censored parts?

[Niek]

Sure! It looks like this:

version: "3"

services:
  echo:
    image: ealen/echo-server:latest
    pull_policy: always
    restart: always
    labels:
      - easyhaproxy.echo.host=domain.org
      - easyhaproxy.echo.port=80
      - easyhaproxy.echo.localport=80
      - easyhaproxy.echo.certbot=true

  easyhaproxy:
    image: byjg/easy-haproxy:master
    pull_policy: always
    restart: always
    ports:
      - 80:80
      - 443:443
    environment:
      - EASYHAPROXY_CERTBOT_EMAIL=mail@domain.org
      - EASYHAPROXY_DISCOVER=docker
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock

[byjg]

It is a pretty standard configuration, so nothing from this side. I can try to reproduce this error later today.

Meanwhile, please verify:

• if both the ports 80 and 443 are publicly available
• The domain.org (redacted) needs to have the proper IP setup to the server
• There is no WAF (e.g. Cloudflare) in front of the server IP.
• If your EasyHAProxy server is in a private network instead of a public network, make sure you are doing the proper NAT from the public IP to the private IP/port.