Develop Reference

certbot cannot verify domain and connection refused

I am trying to generate certificate for my domain. I can ping my domain but still getting error. I have added inbound firewall rule to my digital ocean server to accept port 80 on ipv4 and ipv6 as well. Not sure what is wrong. [Note: my nginx server is not running as I cannot get the certificate]
https://community.letsencrypt.org/t/invalid-response-404-nginx-docker-container/102525
My domain is: www.1040nra.com
I ran this command: sudo certbot certonly --staging --webroot -w /root/dt-app-data/ -d 1040nra.com -d www.1040nra.com
It produced this output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 1040nra.com
http-01 challenge for www.1040nra.com
Using the webroot path /root/dt-app-data for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. 1040nra.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://1040nra.com/.well-known/acme-challenge/22AD-KFmF62z373CPiUKzk6dlr-0s5wMOmnmrziMqd4: Connection refused, www.1040nra.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.1040nra.com/.well-known/acme-challenge/ba-jjDhBUZJ9fHLofGfDYSVV5a-ETlX26A64A-2Yu0s: Connection refused
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: 1040nra.com
Type: connection
Detail: Fetching
http://1040nra.com/.well-known/acme-challenge/22AD-KFmF62z373CPiUKzk6dlr-0s5wMOmnmrziMqd4:
Connection refused
Domain: www.1040nra.com
Type: connection
Detail: Fetching
http://www.1040nra.com/.well-known/acme-challenge/ba-jjDhBUZJ9fHLofGfDYSVV5a-ETlX26A64A-2Yu0s:
Connection refused
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version):
The operating system my web server runs on is (include version): ubuntu 18.04

You seem to have solved the problem yourself.
This is because the certbot domain cannot verify the DNS A record.
Make sure your domain address is directed to your server's ip address.
If you made the dns change 'recently', it may take some time to delete the old ip address.
https://www.whatsmydns.net/
Check here, there should only be one IP address and this should be your server's IP address.

Make sure ports 80 and 443 are open by running the command below:
sudo ufw status
If port 443 is not open, then run the command bellow to allow port 443:
sudo ufw allow https

Issue: The issue is your domain might be not pointing to your Cloud host IP and DNS setup
Solution:
You have to map your domain and IP in-network option tab A
Once you did the mapping then you have to setup DNS on where you have purchased the domain website.
Then check by entering your domain name on this web site www.whatsmydns.net showing your IP address or not
If Yes then you create the certificate

Go to the https://www.whatsmydns.net/
Enter your host name
You set the type A
Make sure that there is the same IP everywhere
You set the type AAAA
Make sure there are no AAAA entries
AAAA are IPv6 entries.
If the addresses for AAAA are present, make a request to this IPv6 address
#example curl [43ff:0c89:eb10:4c06:c90e:4b7d:64e5:fbe1]
curl [your IPv6]
If you get an error, then the address does not point to your site. Accordingly, there is a difference between IPv4 and IPv6.
Solution: delete the domain zone type AAAA

Why can't connect to http service binding on 127.0.0.1 with any ports

I wrote a simple http server in Go language as below:
http.ListenAndServe(":8888", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("hello"))
}))
When I test it on certain machine runs Windows 7, I found client can't connect to the server.
telnet 127.0.0.1 8888
connecting 127.0.0.1… can't open connection to the host. on port 8888: connect failed. (I translate it from Chinese.)
Then I got the results of other test case:
ping localhost and 127.0.0.1, successful.
telnet localhost 8888, successful.
telnet ::1 8888, successful.
netstat -ano | find "8888", the server has listened 0.0.0.0:8888 and :::8888.
Check the hosts file of OS, it's default configuration (nothing else).
Check the Network Adapter, it doesn't open IPV6 adapter.
The machine is in domain network.
The IP Security Policy is an empty list.
When I opened the MMC(Microsoft Management Console), I got a warning like this:
message box
It mean's:
Can't find resource "$(string.SiteDiscoveryEnableWMI)" (references in property displayName)
. File C:\windows\PolicyDefinitions\inetres.admx, line 64620, row 235
Anyone can tell me what's going on?

If XAMPP is running in your machine, the local server sometimes uses 127.0.0.1 as the default.
This could be the reason that ping localhost is working but telnet is not.
Otherwise check other network services or localservers you have running for any conflicts.
Cheers!

Filezilla - can't access folder when connecting with other computer using ip adress but works localhost

When I am connecting using localhost on the computer the filezilla server lies on it works perfectly fine, but when I connect with IP-Adress (It is port-forwarded correctly, im 100% sure of that) this happens:
Status: Connecting to **.**.**.**:800...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (**,**,**,**,***,***)
Command: MLSD
Error: The data connection could not be established: ECONNREFUSED -
Connection refused by server
Response: 425 Can't open data connection for transfer of "/"
Error: Failed to retrieve directory listing

When this happens, it's usually a firewall configuration problem.
Besides a control connection, FTP also uses a data connection on a different port that needs to be assigned before data trasfers.
This means that you must open ports on your firewall to allow data transfers and, of course, you should make FileZilla Server aware of that.
For passive mode transfers, you should set a range of ports from the window below:
Of course those ports should be open at the firewall too. A longer discussion can be find here.

SSH -L connection successful, but localhost port forwarding not working "channel 3: open failed: connect failed: Connection refused"

My lab runs RStudio on a server. A couple weeks ago, from my cousin's house, I successfully ssh'd into the server and pulled up the server-side RStudio through my local Firefox browser. Now when I try to access the server RStudio from home (via my own router), it doesn't work. I need help troubleshooting, and I'm guessing it's some problem on the router. I'm running Mac OSX 10.6.8. No idea what the university server's running, but I don't think it's a server-side problem.
Here's how it worked the first time I did it, at my cousin's house: first, I VPN into the university network; then I call SSH with port forwarding; then I open a Firefox browser, connect to my localhost port, and it opens up RStudio on the server side which I can access through my local browser window.
Here's the problem I'm having right now when I try to log-in from my home network:
I can make the VPN connection successfully. I can also set up SSH successfully with this command:
ssh -v -L 8783:localhost:8783 myacct#server.com
Here are the last several lines of the verbose output from the successful ssh command:
debug1: Authentication succeeded (password).
debug1: Local connections to LOCALHOST:8783 forwarded to remote address localhost:8783
debug1: Local forwarding listening on 127.0.0.1 port 8783.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on ::1 port 8783.
debug1: channel 1: new [port listener]
debug1: channel 2: new [client-session]
debug1: Entering interactive session.
Last login: Mon Sep 2 04:02:40 2013 from vpnipaddress
So I think I'm still succeeding at the VPN and SSH stage (though I don't know why it says my last login was Sep 2 when I've logged in a few times since then).
Next, I open Firefox, and I type localhost:8783, and instead of getting an RStudio server app through my browser window, I get the following errors:
In the Firefox browser window, it says: Server not found, Firefox can't find the server at www.localhost.com, Check the address for typing errors etc.
In the terminal window, it says:
debug1: Connection to port 8783 forwarding to localhost port 8783 requested.
debug1: channel 3: new [direct-tcpip]
channel 3: open failed: connect failed: Connection refused
debug1: channel 3: free: direct-tcpip: listening port 8783 for localhost port 8783, connect from 127.0.0.1 port 50420, nchannels 4
I'm not sure what I've got wrong. I haven't changed anything on my laptop since my last successful connection. I'm on my own router (instead of my cousin's), so maybe I need to mess with the firewall? I already allowed ports 22 and 8783 to come through the firewall to my laptop (I'm not even sure I needed to do that though). Help?

ssh -v -L 8783:localhost:8783 myacct#server.com
...
channel 3: open failed: connect failed: Connection refused
When you connect to port 8783 on your local system, that connection is tunneled through your ssh link to the ssh server on server.com. From there, the ssh server makes TCP connection to localhost port 8783 and relays data between the tunneled connection and the connection to target of the tunnel.
The "connection refused" error is coming from the ssh server on server.com when it tries to make the TCP connection to the target of the tunnel. "Connection refused" means that a connection attempt was rejected. The simplest explanation for the rejection is that, on server.com, there's nothing listening for connections on localhost port 8783. In other words, the server software that you were trying to tunnel to isn't running, or else it is running but it's not listening on that port.

Posting this to help someone.
Symptom:
channel 2: open failed: connect failed: Connection refused
debug1: channel 2: free: direct-tcpip:
listening port 8890 for 169.254.76.1 port 8890,
connect from ::1 port 52337 to ::1 port 8890, nchannels 8
My scenario; i had to use the remote server as a bastion host to connect elsewhere. Final Destination/Target: 169.254.76.1, port 8890. Through intermediary server with public ip: ec2-54-162-180-7.compute-1.amazonaws.com
SSH local port forwarding command:
ssh -i ~/keys/dev.tst -vnNT -L :8890:169.254.76.1:8890
glue#ec2-54-162-180-7.compute-1.amazonaws.com
What the problem was:
There was no service bound on port 8890 in the target host. i had forgotten to start the service.
How did i trouble shoot:
SSH into bastion host and then do curl.
Hope this helps.

Note: localhost is the hostname for an address using the local (loopback) network interface, and 127.0.0.1 is its IP in the IPv4 network standard (it's ::1 in IPv6). 0.0.0.0 is the IPv4 standard "current network" IP address.
I experienced this error with a Docker setup. I had a Docker container running on an external server, and I'd (correctly) mapped its ports out as 127.0.0.1:9232:9232. By port-forwarding ssh remote -L 9232:127.0.0.1:9232, I'd expected to be able to communicate with the remote server's port 9232 as if it were my own local port.
It turned out that the Docker container was internally running its process on 127.0.0.1:9232 rather than 0.0.0.0:9232, and so even though I'd specified the container's port-mappings correctly, they weren't on the correct interface for being mapped out.

In my case, it worked after running the vncserver on linux.
Entered this on linux command line : sudo ssh -L 5901:localhost:5901 -i <ssh_private_key> <username>#<public-IP-address>
Type there vncserver
Go to VncViewer application and connect using localhost:5901

I used to meet the similar problem because 'localhost' was not available on server when it restarted network service, e.g. 'ifdown -a' but followed by only 'ifup -eo1'. Besides server is not listening to the port, you can also check 'localhost' is available or not.
ps: Post it just hope someone who has the similar problem may benefit.

I had this problem when I wanted to make a vnc connection via a tunnel.
But the vncserver was not running.
I solved it by opening the channel on the remote machine with vncserver :3.

In my case, it worked after checking the correct IP address of the user credentials
previously I was using the wrong IP of the server
ssh -NfL 127.0.0.1:8084:127.0.0.1:8888 user#ip_address_of_server
after correcting it, works fine.

Encountered with the same error.
In my case, I found the problem was in the config file of jupyter.
Let's say there are 3 computers named A, B, and C, and A can access B but can't access C; B can access C.
To access jupyter-notebook service of C from A, first I established ssh tunnel from A to C through B, then I access jupyter-notebook by typing localhost:port_number, then I got the error.
Finally the problem was solved by writing the "c.NotebookApp.ip = '0.0.0.0'" in jupyter-notebook's config file, where '0.0.0.0' allows the access of other IPs.
Hope someone in a similar situation may benefit.

I had the same error when I was trying to tunnel my mlflow ui over ssh to view remotely. As mentioned in the first answer, the error arises because nothing on the server is listening for the port. This, for me, is because I forgot to start the mlflow app on my remote machine! So in general – make sure the app you're trying to access remotely is running.

Just replace localhost with 127.0.0.1.
(The answer is based on answers of other people on this page.)

This means the remote vm is not listening to current port i solved this by adding the port in the vm server

How to configure direct http access to EC2 instance?

This is a very basic Amazon EC2 question, but I'm stumped so here goes.
I want to launch an Amazon EC2 instance and allow access to HTTP on ports 80 and 8888
from anywhere. So far I can't even allow the instance to connect to on those ports using
its own IP address (but it will connect to localhost).
I configured the "default" security group for HTTP using the standard HTTP option on the management console (and also SSH).
I launched my instance in the default security group.
I connected to the instance on SSH port 22 twice and in one window launch an HTTP server
on port 80. In the other window I verify that I can connect to HTTP using the "localhost".
However when I try to access HTTP from the instance (or anywhere else) using either the public DNS or the Private IP address I het "connection refused".
What am I doing wrong, please?
Below is a console fragment showing the wget that succeeds and the two that fail run from the instance itself.
--2012-03-07 15:43:31-- http://localhost/
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: /__whiff_directory_listing__ [following]
--2012-03-07 15:43:31-- http://localhost/__whiff_directory_listing__
Connecting to localhost|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “__whiff_directory_listing__”
[ <=>
] 7,512 --.-K/s in 0.03s
2012-03-07 15:43:31 (263 KB/s) - “__whiff_directory_listing__” saved [7512]
[ec2-user#ip-10-195-205-30 tmp]$ wget http://ec2-50-17-2-174.compute-1.amazonaws.com/
--2012-03-07 15:44:17-- http://ec2-50-17-2-174.compute-1.amazonaws.com/
Resolving ec2-50-17-2-174.compute-1.amazonaws.com... 10.195.205.30
Connecting to ec2-50-17-2-174.compute-1.amazonaws.com|10.195.205.30|:80... failed:
Connection refused.
[ec2-user#ip-10-195-205-30 tmp]$ wget http://10.195.205.30/
--2012-03-07 15:46:08-- http://10.195.205.30/
Connecting to 10.195.205.30:80... failed: Connection refused.
[ec2-user#ip-10-195-205-30 tmp]$

The standard tcp sockets interface requires that you bind to a particular IP address when you send or listen. There are a couple of somewhat special addresses: localhost (which you're probably familiar with) which is 127.0.0.1. There's also a special address, 0.0.0.0 or INADDR_ANY (internet protocol, special shorthand for ANY ADDRESS). It's a way to listen on ANY or more commonly, ALL addresses on the host. This is a way to tell the kernel/stack that you're not interested in a particular IP address.
So, when you're setting up a server that listens to "localhost" you're telling the service that you want to use the special reserved address that can only be reached by users of this host, and while it exists on every host, making a connection to localhost will only ever reach the host you're making the request from.
When you want a service to be reachable everywhere (on a local host, on all interfaces, etc.) you can specify 0.0.0.0.

(0) It's silly but the first thing you need to do is to make sure that your web server is running.
(1) You need to edit your Security Group to let incoming HTTP packets access your website. If your website is listening on port 80, you need to edit the Security Group to open access to port 80 as mentioned above. If your website is listening on some other port, then you need to edit the Security Group to access that other port.
(2) If you are running a Linux instance, the iptables firewall may be running by default. You can check that this firewall is active by running
sudo service iptables status
on the command line. If you get output, then the iptables firewall is running. If you get a message "Firewall not running", that's pretty self-explanatory. In general, the iptables firewall is running by default.
You have two options: knock out the firewall or edit the firewall's configuration to let HTTP traffic through. I opted to knock out the firewall as the simpler option (for me).
sudo service iptables stop
There is no real security risk in shutting down iptables because iptables, if active, merely duplicates the functionality of Amazon's firewall, which is using the Security Group to generate its configuration file. We are assuming here that Amazon AWS doesn't misconfigure its firewalls - a very safe assumption.
(3) Now, you can access the URL from your browser.
(4) The Microsoft Windows Servers also run their personal firewalls by default and you'll need to fix the Windows Server's personal firewall, too.
Correction: by AWS default, AWS does not fire up server firewalls such iptables (Centos) or UAF (Ubuntu) when you are ordering the creation of new EC2 instances - That's why EC2 instances that are in the same VPC can ssh into each other and you can "see" the web server that you fired up from another EC2 instance in the same VPC.
Just make sure that your RESTful API is listening on all interfaces i.e. 0.0.0.0:portID

As you are getting connection refused (packets are being rejected) I bet it is iptables causing the problem. Try to run
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 8888 -j ACCEPT
and test the connection.
You will also need to add those rules permanently which you can do by adding the above lines into ie. /etc/sysconfig/iptables if you are running Red Hat.

Apparently I was "binding to localhost" whereas I needed to bind to 0.0.0.0 to respond to port 80 for the all incoming TCP interfaces (?). This is a subtlety of TCP/IP that I don't fully understand yet, but it fixed the problem.

Had to do the following:
1) Enable HTTP access on the instance config, it wasn't on by default only SSH
2) Tried to do nodejs server, so port was bound to 80 -> 3000 did the following commands to fix that
iptables -F
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
sudo service iptables-persistent flush

Amazon support answered it and it worked instantly:
I replicated the issue on my end on a test Ubuntu instance and was able to solve it. The issue was that in order to run Tomcat on a port below 1024 in Ubuntu/Unix, the service needs root privileges which is generally not recommended as running a process on port 80 with root privileges is an unnecessary security risk.
What we recommend is to use a port redirection via iptables :-
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
I hope the above information helps.