Again reset by peer

For a client i installed a docker compose with nginx react node an certbot.
I manage to create a certificate and it expired few days ago and I can renew or create a new certificate.
Challenge reset by peer.

I also remove all https config and keep only http 80, and web site is working fine
But still can't create a certificate.

I have a similar project with same config on another server for another client and no issue.

I look on all config and the only issue that could be is a firewall issue but whitch one?
As i don't know how to keep challenge file (it's deleted after the test)
I add a file on acme-challenge directory and try to download it with curl.

nginx config for lets'encrypt:

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root /var/www/certbot;
}

My domain is: sam.sophia.inrae.fr

I ran this command: curl -O http://sam.sophia.inrae.fr/.well-known/acme-challenge/Test_File-1234

It produced this output:
In local server:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15 100 15 0 0 1000 0 --:--:-- --:--:-- --:--:-- 1000

The ping display the public ip address, it's not running as localhost

In remote client:

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (56) Recv failure: Connection reset by peer

My web server is (include version): nginx:alpine latest

The operating system my web server runs on is (include version): debian 5.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot/certbot:latest

Hi @srodrigues37. and welcome to the LE community forum :slight_smile:

Something is not working as expected.

curl -I http://sam.sophia.inrae.fr/.well-known/acme-challenge
HTTP/1.1 200 OK
Server: nginx/1.21.5
Date: Tue, 10 May 2022 08:27:04 GMT
Content-Type: text/html
Content-Length: 3307
Connection: keep-alive
Last-Modified: Mon, 09 May 2022 13:52:47 GMT
ETag: "62791caf-ceb"
Accept-Ranges: bytes

curl -I http://sam.sophia.inrae.fr/.well-known/acme-challenge/
curl: (52) Empty reply from server

Are you using a Palo Alto firewall?

1 Like

Hi I have no idea and no access to the firewall.
The supports says "All is working and fine".
That's why i post this question.
What is the minimal reuqirement for the firewall.
I'll send it to the supports for updates.

There is specifically a recent problem with Palo Alto firewalls implementing a default policy which blocks '/.well-known/acme-challenge/' http requests, so that requires a change on the firewall.

Also make sure /var/www/certbot is a real path that is accessible by certbot within docker as this rule is trying to set this as the default place to write challenge response files. I assume it is and you've created a file in there called Test_File-1234.

You can possibly test the firewall idea by changing the nginx config from /.well-known/acme-challenge/ to /.well-known/acme-test/ then trying to access http://sam.sophia.inrae.fr/.well-known/acme-test/Test_File-1234 - if that works you know something else is intercepting the request based on the url.

3 Likes

you're right it works with acme_test, they are a way to change default acme_challenge path?

No. You should show your network support people the info from topic below. Your system is failing with the identical symptoms:

5 Likes

Many thanks for your help, i send the request to the network support.

2 Likes