My domain is:
I ran this command:
getssl -u (see GitHub - srvrco/getssl: obtain free SSL certificates from letsencrypt ACME server Suitable for automating the process on remote servers.)
It produced this output:
Check all certificates Registering account Verify each domain Verifying madmask.co.uk madmask.co.uk is already validated Verifying www.madmask.co.uk copying challenge token to /home/jakeqz/public_html/madmask.co.uk/.well-known/acme-challenge/gtlC7LRVj1_SGq3U2J31DdvDZxbQHgti77EHDnhHKy0 sending request to ACME server saying we're ready for challenge checking if challenge is complete getssl: www.madmask.co.uk:Verify error: "detail": "220.127.116.11: Fetching http://www.madmask.co.uk/.well-known/acme-challenge/gtlC7LRVj1_SGq3U2J31DdvDZxbQHgti77EHDnhHKy0: Connection reset by peer",
My web server is (include version): Apache 2.4.57, LiteSpeed V8.0.1, Cloudlinux 1.3
The operating system my web server runs on is (include version):
Linux sxb1plzcpnl489428.prod.sxb1.secureserver.net 2.6.32-954.3.5.lve1.4.90.el6.x86_64 #1 SMP Tue Feb 21 12:26:30 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
My hosting provider, if applicable, is: GoDaddy shared hosting with cPanel
I can login to a root shell on my machine (yes or no, or I don't know): no, it's shared hosting, but I have SSH access and can log into a non-root shell
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 102.0.32
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot): getssl V2.48 (see GitHub - srvrco/getssl: obtain free SSL certificates from letsencrypt ACME server Suitable for automating the process on remote servers.)
Automatic SSL certificate updates had been working fine for a few years until after 26 June 2023.
On 10 July, a twice-weekly cron job to renew SSLs failed for four
.co.uk domains, yet succeeded for one
.com domain. (On 26 June it succeeded for at least one
The error in all cases was "Connection reset by peer".
The Apache logs show the expected requests and responses via HTTP (which is a 301 redirect to HTTPS) but do not show the follow-up via HTTPS.
I have tried disabling the HTTPS redirect. The Apache logs then show the content as being served with a 200 response and 87 bytes, but the error persists.
18.104.22.168 - - [20/Jul/2023:15:10:26 -0700] "GET /.well-known/acme-challenge/gtlC7LRVj1_SGq3U2J31DdvDZxbQHgti77EHDnhHKy0 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" 1 **0/1630**
I can access the URL in a browser without problem.
I have tried with Let's Debug.
For a non-working
.co.uk domain, I get
HTTPCheck Debug Requests made to the domain Request to: madmask.co.uk/22.214.171.124, Result: [Address=126.96.36.199,Address Type=IPv4,Server=,HTTP Status=0], Issue: ANotWorking Trace: @0ms: Making a request to http://madmask.co.uk/.well-known/acme-challenge/letsdebug-test (using initial IP 188.8.131.52) @0ms: Dialing 184.108.40.206 @196ms: Experienced error: read tcp 220.127.116.11:57898->18.104.22.168:80: read: connection reset by peer
For a working
.com domain, I get
HTTPCheck Debug Requests made to the domain Request to: spinawoodworking.com/22.214.171.124, Result: [Address=126.96.36.199,Address Type=IPv4,Server=Apache,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404], Issue: Trace: @0ms: Making a request to http://spinawoodworking.com/.well-known/acme-challenge/letsdebug-test (using initial IP 188.8.131.52) @0ms: Dialing 184.108.40.206 @203ms: Server response: HTTP 301 Moved Permanently @203ms: Received redirect to https://spinawoodworking.com/.well-known/acme-challenge/letsdebug-test @203ms: Dialing 220.127.116.11 @1433ms: Server response: HTTP 404 Not Found
(This is expected, since
letsdebug-test doesn't exist.)
What on earth is going on? These are on the same server. Why is it only failing with
.co.uk domains and not others?
What can I do? I have about 14 days before the current certificates expire. Please help.