Can't renew During secondary validation: Fetching xxx Connection reset by peer

My domain is: beterwork-us.hopto.org

I ran this command:
sudo certbot --apache

It produced this output:
hans@beterwork-us:/etc$ sudo certbot --apache
[sudo] password for hans:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: beterwork-us.hopto.org


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for beterwork-us.hopto.org
Enabled Apache rewrite module
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. beterwork-us.hopto.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching http://beterwork-us.hopto.org/.well-known/acme-challenge/l0gS7bOnsorr23Me8_BxI3a1RG6lij5u_LDa8umpdyg: Connection reset by peer

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: beterwork-us.hopto.org
    Type: connection
    Detail: During secondary validation: Fetching
    http://beterwork-us.hopto.org/.well-known/acme-challenge/l0gS7bOnsorr23Me8_BxI3a1RG6lij5u_LDa8umpdyg:
    Connection reset by peer

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version):
ii apache2 2.4.29-1ubuntu4.12 amd64 Apache HTTP Server

The operating system my web server runs on is (include version):
Ubuntu 18.04.2 LTS

My hosting provider, if applicable, is:
https://manage.hostdare.com/

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

---- Comments ----
half years ago I run certbot have no issue
today I got a email tell me to renew I found I can’t keep give me
Failed authorization procedure. beterwork-us.hopto.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching http://beterwork-us.hopto.org/.well-known/acme-challenge/l0gS7bOnsorr23Me8_BxI3a1RG6lij5u_LDa8umpdyg: Connection reset by peer

error.

I even ran the manual mode
sudo certbot certonly --manual --preferred-challenges http

put a file into the www root make visiable to public
http://beterwork-us.hopto.org/.well-known/acme-challenge/Pts5d2vqPLOP9A-YGaYFA9RU7hWUWGZ4vmSaStnv_6c

but still give me this error.

is there anything I can do?

By the way I already clear all iptables
and accectped all
with command
sudo iptables -I INPUT -j ACCEPT

1 Like

Have you confirmed your IP address?

I see:

Name:    beterwork-us.hopto.org
Address:  193.22.152.202

Is there any special handling for the /.well-known/acme-challenge/ requests?

I can reach:

http://beterwork-us.hopto.org/.well-known/acme-challenge/Pts5d2vqPLOP9A-YGaYFA9RU7hWUWGZ4vmSaStnv_6c

It shows:

Pts5d2vqPLOP9A-YGaYFA9RU7hWUWGZ4vmSaStnv_6c.LOTiAPJFBQGCUGPqZn2_Tr-6q4HOca0Au_csvdUxwTk

[which looks correct]

2 Likes

Do you have any firewall rules or devices in front of your server that may be affecting traffic from AWS?

Recently Let’s Encrypt began checking challenges from 4 different hosts simultaneously: ACME v1/v2: Validating challenges from multiple network vantage points

Your error indicates that one of the secondary perspectives (which are currently hosted with AWS) failed to fetch the challenge file from your server.

Does this error happen consistently or just sometimes?

1 Like

It happens consistently

I already disabled firewall totally.

1 Like

Hi @beterhans

your error message

says: The Letsencrypt data center can fetch your file. The servers used with multi perspective validation can’t.

So you have a regional firewall that blocks -> remove that.

1 Like

Hi Thanks JuergenAuer for the reply

How could I know the IP Range for the Secondary server’s IP?
I will ask my VM provider if they have a firewall against that range.

Please read the FAQ:

Letsencrypt doesn’t publish ip addresses. And secondary validation -> ip addresses may change.

1 Like

Hi JuegenAuer Thanks for the reply

But it turns out it’s not my side blocked AWS server’s request it’s AWS server reseted tcp connection for some reason.

Here is a wireshark I did on my VM’s eth0

This is the 1st OK one
IP end with 202 is my Server, other side is the LetEncrypt server

Following is the Failed one.
AWS server sent a reset for some reason.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.