TLS-ALPN-01: Connection refused

1. Caddy version (caddy version):

# docker-compose exec caddy caddy version
v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

2. How I run Caddy:

a. System environment:

OS: Ubuntu 18.04.5 LTS
Docker: 20.10.5

b. Command:

docker-compose up -d

c. Service/unit/compose file:

version: "3.5"
services:
  caddy:
    build: ./build
    env_file:
      - caddy.env
    networks:
      - caddy
      - external
    ports:
      - 80:80
      - 443:443
    restart: always
    volumes:
      - config:/config
      - data:/data

volumes:
  config:
  data:

networks:
  # Network to hook backends into
  caddy:
    name: caddy
    internal: true
  # Used to allow external access (necessary for ACME)
  external:

d. My complete Caddyfile or JSON config:

{
    default_sni {$DEFAULT_SNI}
    email {$ACME_EMAIL}
    on_demand_tls {
        interval 7d
        burst 50
    }
}

ares.fallenwarrior.me {
    root * /usr/share/caddy
    file_server
}

3. The problem I’m having:

In trying to obtain a certificate for the listed host, Caddy logged several errors indicating a failed TLS-ALPN-01 challenge.
Not a problem in itself, as the site still works with HTTPS and everything, but error level logs are in my opinion still worth investigating.

4. Error messages and/or full log output:

{"level":"info","ts":1615289462.5444105,"logger":"tls.issuance.acme.acme_client","msg":"trying to solve challenge","identifier":"ares.fallenwarrior.me","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
{"level":"error","ts":1615289463.5418978,"logger":"tls.issuance.acme.acme_client","msg":"challenge failed","identifier":"ares.fallenwarrior.me","challenge_type":"tls-alpn-01","status_code":400,"problem_type":"urn:ietf:params:acme:error:connection","error":"Connection refused"}
{"level":"error","ts":1615289463.5421784,"logger":"tls.issuance.acme.acme_client","msg":"validating authorization","identifier":"ares.fallenwarrior.me","error":"authorization failed: HTTP 400 urn:ietf:params:acme:error:connection - Connection refused","order":"https://acme-v02.api.letsencrypt.org/acme/order/115121735/8346560287","attempt":1,"max_attempts":3}

5. What I already tried:

To check if it was an intermittent error, I tried doing the same thing against the LE staging API but got the same result.

6. Links to relevant resources:

As you can verify yourself if you navigate to https://ares.fallenwarrior.me, HTTPS does work (in the end by using the HTTP-01 challenge), so it’s not like the traffic isn’t getting through to Caddy.
Which is why I don’t understand where the connection refused error happens.

Hmm, it’s hard to say. Essentially, Let’s Encrypt is trying to connect to your server on port 443 for the ALPN challenge. It is strange that connecting to your server does work. Do you have something like Cloudflare in front of your server? Something in between Let’s Encrypt and your server might be blocking the request for whatever reason.

Nope, nothing. This is a DigitalOcean server and I have nothing in front of it at the moment. The firewall rule to allow HTTP/S didn’t even exist until before I set this up because I wasn’t hosting anything on there. And said firewall rule is configured to allow traffic from all sources as well.

I have the same problem with the same errors.
Server: Hetzner/Windows 2016 server/Firewall is off.
Domain: Installed on Cloudflare and Server IP recorded in A-record, without proxying Cloudflare.

How to fix?

This topic was automatically closed after 30 days. New replies are no longer allowed.