SSL setup error Acme Challenge Invalid Status Connection Refused

Hey there. I am trying to setup SSL, and getting an Acme Challenge error. It is getting an Invalid Status: Connection Refused.

The app runs fine under HTTP, so no issues there. The website is up and available at http://www.utopidy.com. I just installed it ground up a week or two ago, so everything should be latest Ghost/Ubuntu/MySQL etc.

I suspect the issue lies in my hosting, and some connectivity error. I am running the server literally at home in my basement. I know… not really ideal for production use but I am just at the beginning of this, so I have little risk (and no money for hosting) so I am just using what I have until I understand better what my needs are.

What is somewhat unique is that I am running it in WSL2 on Windows 11. Which so far has been fine. I have a port forward rule in place on my Google router to go from 80 → 8080 on my server. I am a fairly adept dev, but networking was never part of my toolkit

Appreciate any help! BTW, love the product so far!

The ACME challenge basically sends a HTTP request to http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. So, this route must be accessible for the challenge.

Some proxies (Cloudflare, if not set up correctly) don’t forward these requests, which then looks like they are declined – and the certificate cannot be issued.

So, make sure that there is nothing blocking these requests (ISP? Firewall?).

The other thing to note is that Let’s Encrypt only allows 5 certificates to be issued for the same hostname within 7 days. So, if this quota has been reached already (for example, if the certificate has been issued by Let’s Encrypt, but something in your stack hasn’t saved it properly), Let’s Encrypt might just block further requests.

For both cases it should show you a proper error, though.

Can you perhaps describe in more detail which steps you are taking and what you’re getting back?

Thanks for the response. Sure, here are steps and all the info I got back:

$ghost setup ssl
Enter email address
sudo /etc/letsencrypt/acme.sh --upgrade --home /etc/letsencrypt

• sudo /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --server letsencrypt --domain utopidy.com --webroot /var/www/utopidy/system/nginx-root --reloadcmd “nginx -s reload” --accountemail x@x.com --keylength 2048
  Setting up SSL
  One or more errors occurred.

1. ProcessError

Message: Command failed: /bin/sh -c sudo -S -p ‘#node-sudo-passwd#’ /etc/letsencrypt/acme.sh --issue --home /etc/letsencrypt --server letsencrypt --domain utopidy.com --webroot /var/www/utopidy/system/nginx-root --reloadcmd “nginx -s reload” --accountemail x@x.com --keylength 2048
[Sun Feb 16 06:51:09 MST 2025] utopidy.com: Invalid status. Verification error details: 136.38.137.164: Fetching http://utopidy.com/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX: Connection refused
[Sun Feb 16 06:51:09 MST 2025] Please add ‘–debug’ or ‘–log’ to see more information.
[Sun Feb 16 06:51:09 MST 2025] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

[Sun Feb 16 06:51:06 MST 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Feb 16 06:51:06 MST 2025] Single domain=‘utopidy.com’
[Sun Feb 16 06:51:07 MST 2025] Getting webroot for domain=‘utopidy.com’
[Sun Feb 16 06:51:07 MST 2025] Verifying: utopidy.com
[Sun Feb 16 06:51:07 MST 2025] Pending. The CA is processing your order, please wait. (1/30)

Exit code: 1

Debug Information:
OS: Ubuntu, v24.04.1 LTS
Node Version: v18.20.6
Ghost Version: 5.109.0
Ghost-CLI Version: 1.26.1
Environment: production
Command: ‘ghost setup ssl’

Additional log info available in: /x/xxxxx/.ghost/logs/ghost-cli-debug-2025-02-16T13_51_09_627Z.log

Try running ghost doctor to check your system for known issues.

You can always refer to Ghost-CLI - A fully loaded tool for installation and configuration for troubleshooting.

[end]

It’s good to know that they only issue so many. I have attempted this, at most twice… because I think it tried once during initial install maybe when I chose Yes to install SSL. I will use caution in running again. Also, I did replace info that might be sensitive with xxxx, but I can provide if it is necessary for debugging. Thanks again!.

Hm, nothing stands out to me there.

My best guess is – as you pointed out in your initial post – WSL networking. I have only used WSL briefly and got annoyed with it because well…routing wasn’t very straightforward.

You could, of course, set up the SSL certificate manually by doing a DNS challenge from Let’s Encrypt instead: Challenge Types - Let's Encrypt

My assumption, based on these logs, would be that this certificate would then be recognised, since it is actively querying the Let’s Encrypt directory.

Ok, thanks. The good news is I figured it out. As suspected, it had to do with routing into the WSL. In the first release of WSL, you had to do a proxy port forward from Windows into the WSL. Supposedly, this was fixed with WSL2 but I still can’t get it to work without adding a forward. Plus, I need the forward in the Google router to send the web traffic to my server.

I modified the Google port forward to be straight 80 → 80, and then the Windows to WSL2 port forward to be 80 – 80, and it worked. The SSL was generated and the setup completed.

Now, I have to get it all working over 443, and set ghost back up. But now that I have a pretty clear picture of what I THINK is going on, maybe it will go smooth. Thanks for the help, you let me know that I should likely keep focusing on the routing.