Acme.sh: connection reset by peer

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
eldernode2.ddns.net

I ran this command:
acme.sh --issue --standalone -d eldernode2.ddns.net --force --debug 2

It produced this output:
.....
GET /.well-known/acme-challenge/PwyV7akv3TROEwM1Ut7-b2V4pxQCy6ea0N0Vhs1y5fQ HTTP/1.1
Host: eldernode2.ddns.net
User-Agent: acme.zerossl.com/v2/DV90
Cache-Control: no-cache
Accept-Encoding: gzip
Connection: close

1< 2023/03/14 15:18:56.278741 length=126 from=0 to=125
HTTP/1.0 200 OK\r
Content-Length: 87\r
\r
PwyV7akv3TROEwM1Ut7-b2V4pxQCy6ea0N0Vhs1y5fQ.QJW1zxMm33dsaIggao6UWppSzRdG2rGiBV73j2_qgjg2023/03/14 15:18:56 socat[1606627] N childdied(): handling signal 17
2023/03/14 15:18:56 socat[1606627] W read(5, 0x55d14231e230, 8192): Connection reset by peer
2023/03/14 15:18:56 socat[1606627] N socket 2 to socket 1 is in error
2023/03/14 15:18:56 socat[1606627] N socket 2 (fd 5) is at EOF
2023/03/14 15:18:56 socat[1606627] N socket 1 (fd 6) is at EOF
2023/03/14 15:18:56 socat[1606627] N socket 2 (fd 5) is at EOF
2023/03/14 15:18:56 socat[1606627] N exiting with status 0
.....

My web server is (include version):
n/a

The operating system my web server runs on is (include version):
ubuntu 20.04

My hosting provider, if applicable, is:
vultr

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Port 80 and 443 are both CLOSE; Best Practice - Keep Port 80 Open
HTTP-01 Challenge requires Port 80 access; please see https://letsencrypt.org/docs/challenge-types/#http-01-challenge
Using Let's Debug yields these results https://letsdebug.net/eldernode2.ddns.net/1407446; 2 ERRORS

$ curl -Ii http://eldernode2.ddns.net/.well-known/acme-challenge/sometestfile
curl: (7) Failed to connect to eldernode2.ddns.net port 80 after 174 ms: Connection refused
$ nmap -Pn eldernode2.ddns.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-14 15:22 UTC
Nmap scan report for eldernode2.ddns.net (45.76.43.163)
Host is up (0.16s latency).
rDNS record for 45.76.43.163: 45.76.43.163.vultrusercontent.com
Not shown: 990 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   closed http
443/tcp  closed https
1080/tcp closed socks
1443/tcp closed ies-lm
3920/tcp closed exasoftport1
8080/tcp open   http-proxy
8081/tcp open   blackice-icecap
8082/tcp closed blackice-alerts
8083/tcp closed us-srv

Nmap done: 1 IP address (1 host up) scanned in 10.04 seconds

Looks like you're trying to get a certificate from the CA called "ZeroSSL". This is the Let's Encrypt Community. As acme.sh is also an ACME client owned by ZeroSSL, you might have more luck with the ZeroSSL support channels at https://help.zerossl.com/hc/en-us.

4 Likes

This is definitely not the case - opened them in both vultr's firewall and via ufw. Also installed apach2 - it is perfectly accessible from outside.

ah, beg pardon, thought acme is part of letsencrypt :slight_smile:

Kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist. :slight_smile:

1 Like

This is the RFC 8555: Automatic Certificate Management Environment (ACME)

1 Like

You can use the acme.sh ACME Client to get a cert from the Let's Encrypt ACME Server using --server letsencrypt on the command line

3 Likes

The "peer" presumably being:

If so, then we have no insight as to why that has happened.

Also, be careful with the use/misuse of the:

3 Likes

For me nmap -Pn still say otherwise

$ nmap -Pn eldernode2.ddns.net
Starting Nmap 7.80 ( https://nmap.org ) at 2023-03-14 17:20 UTC
Nmap scan report for eldernode2.ddns.net (45.76.43.163)
Host is up (0.16s latency).
rDNS record for 45.76.43.163: 45.76.43.163.vultrusercontent.com
Not shown: 990 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   closed http
443/tcp  closed https
1080/tcp closed socks
1443/tcp closed ies-lm
3920/tcp closed exasoftport1
8080/tcp open   http-proxy
8081/tcp open   blackice-icecap
8082/tcp closed blackice-alerts
8083/tcp closed us-srv

Nmap done: 1 IP address (1 host up) scanned in 9.99 seconds
1 Like

@ElderOrb, @Bruce5051
What IP is resolved for?:
eldernode2.ddns.net

@ElderOrb, what shows?
curl ifconfig.io

2 Likes


I see this

1 Like

I saw that too, I'm just making sure both of you are using the same IP.
And that the IP being used is the one where the server is at now.

2 Likes

And https://letsdebug.net/eldernode2.ddns.net/1407650 shows the same IPv4 Address as well.

ANotWorking
ERROR
eldernode2.ddns.net has an A (IPv4) record (45.76.43.163) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://eldernode2.ddns.net/.well-known/acme-challenge/letsdebug-test": dial tcp 45.76.43.163:80: connect: connection refused

Trace:
@0ms: Making a request to http://eldernode2.ddns.net/.well-known/acme-challenge/letsdebug-test (using initial IP 45.76.43.163)
@0ms: Dialing 45.76.43.163
@83ms: Experienced error: dial tcp 45.76.43.163:80: connect: connection refused
IssueFromLetsEncrypt
ERROR
A test authorization for eldernode2.ddns.net to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
45.76.43.163: Fetching http://eldernode2.ddns.net/.well-known/acme-challenge/6zrpz0W1L5VUuZm24qgLFNpHvihIcBm47_pX36SxcIQ: Connection refused

I get two different errors:

curl -Iik http://45.76.43.163
curl: (56) Recv failure: Connection reset by peer

curl -Iik https://45.76.43.163
curl: (7) Failed to connect to 45.76.43.163 port 443: Connection refused

But I'm still not convinced this is the right IP.

2 Likes

curl ifconfig.io -4
45.76.43.163

Please demonstrate.

eldernode2.ddns.net is 45.76.43.163

sure, just installed apache2 :slight_smile: