Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: Not sure as it is a button on the Expressway-E virtual appliance
It produced this output: sign operation failed : The server could not connect to validation target. Connection reset by peer: agrexedge.ncagr.gov
My web server is (include version): X15.2.4
The operating system my web server runs on is (include version): TANDBERG Video Communication Server
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): Yes, kind of.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I am using a GUI interface on the Expressway-E appliance
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not sure.
This is your firewall blocking TCP port 80 (incoming HTTP). If you are not part of your IT dept I would suggest you talk to them as there are security issues to consider here.
Do you mean, that you see two attempts from outside your network to access the /.well-known/acme-challenge path on your server? You should be seeing five. Is your firewall maybe blocking some but not all incoming connections?
The "RST, ACK" in the PCAP is a "Reset" which we see reported by HTTP requests to your domain. You are actively rejecting requests.
IssueFromLetsEncrypt
Error
A test authorization for agrexedge.ncagr.gov to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
207.4.160.37: Fetching http://agrexedge.ncagr.gov/.well-known/acme-challenge/r2D1Ms-Spe3s0EPwnQ-O531OVSUYMsmZpPQPw9_B4dk: Connection reset by peer
I'm still working towards getting this certificate signing working. I'm getting a different error after our firewall team made some adjustments. Now I'm getting the following in Expressway Edge.
ACME sign operation failed : The server could not connect to validation target. Timeout during connect: agrexedge.ncagr.gov
It still looks to only be accessible from a few places.
I only see three attempts in that screenshot, though maybe others are cut off. It'd be possible to be more helpful if you could get whatever logs on that system might show the actual error message that the ACME server is replying with.
This means, as I suspected, that some locations (the "primary" validation) could connect and confirm your control over the name, but that at least some other locations (the "secondary" validations) could not.
And from those locations, the symptom is a timeout: Meaning that the validation server attempts to connect to your server, but just doesn't get a response in time. Usually, this means that a firewall has blocked it.
You (and/or your network/firewall administration team) may find this FAQ useful, about how Let's Encrypt needs to check from multiple places in order to validate that you actually control a domain name:
