Acme.sh: connection reset by peer

ElderOrb · March 14, 2023, 3:20pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
eldernode2.ddns.net

I ran this command:
acme.sh --issue --standalone -d eldernode2.ddns.net --force --debug 2

It produced this output:
.....
GET /.well-known/acme-challenge/PwyV7akv3TROEwM1Ut7-b2V4pxQCy6ea0N0Vhs1y5fQ HTTP/1.1
Host: eldernode2.ddns.net
User-Agent: acme.zerossl.com/v2/DV90
Cache-Control: no-cache
Accept-Encoding: gzip
Connection: close

1< 2023/03/14 15:18:56.278741 length=126 from=0 to=125
HTTP/1.0 200 OK\r
Content-Length: 87\r
\r
PwyV7akv3TROEwM1Ut7-b2V4pxQCy6ea0N0Vhs1y5fQ.QJW1zxMm33dsaIggao6UWppSzRdG2rGiBV73j2_qgjg2023/03/14 15:18:56 socat[1606627] N childdied(): handling signal 17
2023/03/14 15:18:56 socat[1606627] W read(5, 0x55d14231e230, 8192): Connection reset by peer
2023/03/14 15:18:56 socat[1606627] N socket 2 to socket 1 is in error
2023/03/14 15:18:56 socat[1606627] N socket 2 (fd 5) is at EOF
2023/03/14 15:18:56 socat[1606627] N socket 1 (fd 6) is at EOF
2023/03/14 15:18:56 socat[1606627] N socket 2 (fd 5) is at EOF
2023/03/14 15:18:56 socat[1606627] N exiting with status 0
.....

My web server is (include version):
n/a

The operating system my web server runs on is (include version):
ubuntu 20.04

My hosting provider, if applicable, is:
vultr

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Bruce5051 · March 14, 2023, 3:26pm

Port 80 and 443 are both CLOSE; Best Practice - Keep Port 80 Open
HTTP-01 Challenge requires Port 80 access; please see https://letsencrypt.org/docs/challenge-types/#http-01-challenge
Using Let's Debug yields these results https://letsdebug.net/eldernode2.ddns.net/1407446; 2 ERRORS

$ curl -Ii http://eldernode2.ddns.net/.well-known/acme-challenge/sometestfile
curl: (7) Failed to connect to eldernode2.ddns.net port 80 after 174 ms: Connection refused

$ nmap -Pn eldernode2.ddns.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-14 15:22 UTC
Nmap scan report for eldernode2.ddns.net (45.76.43.163)
Host is up (0.16s latency).
rDNS record for 45.76.43.163: 45.76.43.163.vultrusercontent.com
Not shown: 990 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   closed http
443/tcp  closed https
1080/tcp closed socks
1443/tcp closed ies-lm
3920/tcp closed exasoftport1
8080/tcp open   http-proxy
8081/tcp open   blackice-icecap
8082/tcp closed blackice-alerts
8083/tcp closed us-srv

Nmap done: 1 IP address (1 host up) scanned in 10.04 seconds

Osiris · March 14, 2023, 3:28pm

Looks like you're trying to get a certificate from the CA called "ZeroSSL". This is the Let's Encrypt Community. As acme.sh is also an ACME client owned by ZeroSSL, you might have more luck with the ZeroSSL support channels at https://help.zerossl.com/hc/en-us.

ElderOrb · March 14, 2023, 3:59pm

This is definitely not the case - opened them in both vultr's firewall and via ufw. Also installed apach2 - it is perfectly accessible from outside.

ElderOrb · March 14, 2023, 4:04pm

ah, beg pardon, thought acme is part of letsencrypt

Bruce5051 · March 14, 2023, 4:10pm

Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

Bruce5051 · March 14, 2023, 4:12pm

This is the RFC 8555: Automatic Certificate Management Environment (ACME)

MikeMcQ · March 14, 2023, 4:48pm

You can use the acme.sh ACME Client to get a cert from the Let's Encrypt ACME Server using --server letsencrypt on the command line

rg305 · March 14, 2023, 5:09pm

The "peer" presumably being:

If so, then we have no insight as to why that has happened.

Also, be careful with the use/misuse of the:

Bruce5051 · March 14, 2023, 5:21pm

For me nmap -Pn still say otherwise

$ nmap -Pn eldernode2.ddns.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-14 17:20 UTC
Nmap scan report for eldernode2.ddns.net (45.76.43.163)
Host is up (0.16s latency).
rDNS record for 45.76.43.163: 45.76.43.163.vultrusercontent.com
Not shown: 990 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   closed http
443/tcp  closed https
1080/tcp closed socks
1443/tcp closed ies-lm
3920/tcp closed exasoftport1
8080/tcp open   http-proxy
8081/tcp open   blackice-icecap
8082/tcp closed blackice-alerts
8083/tcp closed us-srv

Nmap done: 1 IP address (1 host up) scanned in 9.99 seconds

rg305 · March 14, 2023, 5:30pm

@ElderOrb, @Bruce5051
What IP is resolved for?:
eldernode2.ddns.net

@ElderOrb, what shows?
curl ifconfig.io

Bruce5051 · March 14, 2023, 5:31pm

Bruce5051 · March 14, 2023, 5:33pm

I see this

rg305 · March 14, 2023, 5:36pm

I saw that too, I'm just making sure both of you are using the same IP.
And that the IP being used is the one where the server is at now.

Bruce5051 · March 14, 2023, 5:47pm

And https://letsdebug.net/eldernode2.ddns.net/1407650 shows the same IPv4 Address as well.

ANotWorking
ERROR
eldernode2.ddns.net has an A (IPv4) record (45.76.43.163) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://eldernode2.ddns.net/.well-known/acme-challenge/letsdebug-test": dial tcp 45.76.43.163:80: connect: connection refused

Trace:
@0ms: Making a request to http://eldernode2.ddns.net/.well-known/acme-challenge/letsdebug-test (using initial IP 45.76.43.163)
@0ms: Dialing 45.76.43.163
@83ms: Experienced error: dial tcp 45.76.43.163:80: connect: connection refused

IssueFromLetsEncrypt
ERROR
A test authorization for eldernode2.ddns.net to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
45.76.43.163: Fetching http://eldernode2.ddns.net/.well-known/acme-challenge/6zrpz0W1L5VUuZm24qgLFNpHvihIcBm47_pX36SxcIQ: Connection refused

rg305 · March 14, 2023, 5:53pm

I get two different errors:

curl -Iik http://45.76.43.163
curl: (56) Recv failure: Connection reset by peer

curl -Iik https://45.76.43.163
curl: (7) Failed to connect to 45.76.43.163 port 443: Connection refused

But I'm still not convinced this is the right IP.

ElderOrb · March 14, 2023, 6:03pm

curl ifconfig.io -4
45.76.43.163

Bruce5051 · March 14, 2023, 6:06pm

Please demonstrate.

ElderOrb · March 14, 2023, 6:06pm

eldernode2.ddns.net is 45.76.43.163

ElderOrb · March 14, 2023, 6:07pm

sure, just installed apache2

Topic		Replies	Views
Certificate Manual renew error : Connection reset by peer Help	3	522	July 26, 2022
[solved] Probably my addresses was banned Help	11	8562	December 3, 2017
Connection reset by peer on renewal Help	14	4981	December 13, 2018
Wonder why acme.sh loops with wget returning 2 on nonce request Help	13	4107	October 4, 2018
Urn:ietf:params:acme:error:connection Help	3	1952	March 21, 2023

Acme.sh: connection reset by peer

Related topics