Authenticate failed. Reason: 'Authentication failed because the remote party has closed the transport stream

rshinde · January 3, 2023, 10:02am

I am getting cryptographic error whenever I am running load testing. I am using certbot 0.31.0 on Apache/2.4.18. Is this error due to low certbot version? Will it fix if we use latest certbot version?

My domain is:https://iteachmsu.venturit.org/

I ran this command: ran load testing to https://user.dotcom-monitor.com/

It produced this output: Resulted into Cryptographic Error (100) authenticate failed. Reason: 'Authentication failed because the remote party has closed the transport stream

My web server is (include version): Apache/2.4.18

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot version: 0.31.0

orangepizza · January 3, 2023, 10:17am

that long string is change every order, and as you select the manual you have to update the challenge response by yourself. did you do that?

rshinde · January 3, 2023, 10:36am

Thanks for response @orangepizza , sorry but I am not getting this. Which long string changes every order? and how to update the challenge response?

orangepizza · January 3, 2023, 10:57am

let's try sudo certbot --apache and see if certbot is smart enough to figure it out by itself

Osiris · January 3, 2023, 2:25pm

What does that mean, exactly?

rshinde · January 3, 2023, 2:41pm

it just do load testing by opening list of urls we give and capture time required to launch set of pages.

Osiris · January 3, 2023, 3:28pm

And that results in some kind of error? Could you please share the exact error message?

linkp · January 3, 2023, 3:32pm

The error provided in the first post suggests that this is a problem with the web server under load and has no relation to certificate issuance, Let's Encrypt, or Certbot.

MikeMcQ · January 3, 2023, 3:38pm

I agree with linkp that this looks like a server failure under load.

But, is your error when connecting to user.dotcom-monitor.com
Because that domain is using a wildcard cert from Sectigo so wouldn't be a Let's Encrypt problem anyway

Osiris · January 3, 2023, 3:39pm

Yup, it does suggest that very much. Perhaps my request for confirmation wasn't necessary indeed.

Not something for this Community I think.

rshinde · January 4, 2023, 4:06pm

Here is error message

**Cryptographic Error (100)**Authenticate failed. Reason: 'Authentication failed because the remote party has closed the transport stream.'.

Bruce5051 · January 4, 2023, 4:09pm

Supplemental information: That is an old version of Certbot. Here is information on a newer one Certbot 2.1.0 Release

rg305 · January 4, 2023, 8:43pm

Other than removing TSLv1.0[&1.1], and maybe the DHE ciphers, I don't see anything wrong with the TLS service.
That said, you may need to check the resources available to it.

memory
CPU

If all is in order and this problem continues...
I would suggest you try using another web server - like: nginx

_az · January 4, 2023, 9:13pm

That looks like a "connection reset" error, which is pretty normal to see during load testing. I think it's more than likely that the "Cryptographic error" and "authenticate failed" are red herrings and the underlying cause is a networking one.

My main question is whether it happens on every connection attempt from the load testing tool, or whether it just happens "eventually" during the load test.

The former (the load test fails immediately) would indicate that dotcom-monitor doesn't like the TLS configuration of your Apache server. This probably doesn't have anything to do with your certificate or Certbot, but would be more about ciphersuites and protocol versions. You can look at https://ssl-config.mozilla.org/ for hints about that.

(It could also be that you have a firewall that has blocked the dotcom-monitor server - some firewalls produce "connection reset" errors when they block a host).

The latter (the load test eventually fails with that error) is pretty normal and would have to do with the performance tuning of your operating system and web server.

Bruce5051 · January 4, 2023, 9:52pm

Is there any possibility that SHA-1 and/or TLS v1.0/v1.1 is being used?

rg305 · January 4, 2023, 10:18pm

There is always that possibility.
Although the logs, dotcom-monitor, and the wire will know for sure, it doesn't seem to be very relevant from what has been given/shown.
When it can do it 1 time without error, but then can't do it 100 at a time, that seems more like an overload than a block or major misconfiguration.

Osiris · January 5, 2023, 6:11am

That's all related to the LE ACME API while OP is testing a third party website. So I don't see any relation between this.

Bruce5051 · January 5, 2023, 3:41pm

Yeah, the title of "Authenticate failed. Reason: ‘Authentication failed because the remote party has closed the transport stream" lead me down a wrong path. I have troubles sometimes with pronouns or implied nouns such as "remote party".

rshinde · January 10, 2023, 6:56am

thanks for reply, actually apache is must. Can change it due to compatibility of third party SSO.

rg305 · January 10, 2023, 7:03am

Do they use SSO over HTTP or HTTPS [or both]?

Basically: Can the SSO be done on any other port [not 443]?

Topic		Replies	Views
Certbot failed to authenticate on apache Help	4	185	July 27, 2024
Follow up to authentication failure Help	1	919	July 31, 2017
Some challenges have failed Help	39	1478	December 23, 2022
Certbot failed to authenticate Help	7	424	December 10, 2023
Certbot fails with "Certbot failed to authenticate some domains" Help	7	957	May 24, 2023

Authenticate failed. Reason: 'Authentication failed because the remote party has closed the transport stream

Related topics