Connection reset by peer during HTTP ACME challenge for `.co.uk` domains

Yes, the site hasn't changed since Covid. Not sure how that's relevant.

2 Likes

Try this instead: https://www.bdgc.org.uk/ and check it with Let's Debug.

Then try https://www.sunningwellvillagehall.org/ and repeat.

The .uk one will fail and the .org one will succeed. They are both on the same IP address on the same (possibly virtual) server.

Yes, the site hasn't changed since Covid. Not sure how that's relevant.

it doesn't.

I kinda want to use DNS challange and sidestep this problem, https://github.com/srvrco/getssl/blob/master/dns_scripts/GoDaddy-README.txt but godaddy being godaddy looks painful.

P.S I guess their godaddy still doesn't expose Cpanel autossl?

4 Likes

No, of course not. They want to make money selling SSL certificates to people who don't know better.

DNS validation looked tricky. Also, some domains are registered with other providers. And besides, this was working for several years until a week or so ago.

Why has it suddenly stopped working only for .uk domains? While it still works for other TLDs on the same server at the same IP address.

You should be seeing at least 3 requests for each validation attempt; I'm not sure if you're saying you're only seeing one or if you're saying that your logs are showing your server responding to all of them.

That is pretty weird. I'm with @orangepizza; there's likely some kind of firewall that's resetting the connection instead of letting the request through.

I can reproduce the problem from a test machine in AWS, at least some of the time, for whatever's that worth:

$ curl -v http://madmask.co.uk/.well-known/acme-challenge/test
*   Trying 92.205.0.87:80...
* Connected to madmask.co.uk (92.205.0.87) port 80 (#0)
> GET /.well-known/acme-challenge/test HTTP/1.1
> Host: madmask.co.uk
> User-Agent: curl/8.0.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
5 Likes

I have some bad news for you. We have seen these exact symptoms with more than a few GoDaddy hosted servers in past couple months. We have not yet had anyone get it resolved. The only pattern is it was a GoDaddy host (or owned by GoDaddy)

The problem is that the first request from an IP gets a "connection refused". But, repeating the request rapidly succeeds. But, if you just wait a bit (a couple minutes) you get another "connection refused" followed by some successes.

It has nothing to do with Let's Encrypt. And, the most recent case I was able to reproduce this for the person's home page using a browser so it is not even "curl" related.

See this test sequence and note timestamps

curl -I https://www.bdgc.org.uk
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to www.bdgc.org.uk:443

(immediately after the reset failure)
curl -I https://www.bdgc.org.uk
HTTP/2 200
x-powered-by: PHP/7.3.33
date: Fri, 21 Jul 2023 00:32:32 GMT
server: Apache

curl -I https://www.bdgc.org.uk
HTTP/2 200
x-powered-by: PHP/7.3.33
date: Fri, 21 Jul 2023 00:32:34 GMT
server: Apache

curl -I https://www.bdgc.org.uk
HTTP/2 200
x-powered-by: PHP/7.3.33
date: Fri, 21 Jul 2023 00:32:36 GMT
server: Apache

(this was 3 minutes later, probably would happen with less wait)
curl -I https://www.bdgc.org.uk
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to www.bdgc.org.uk:443
5 Likes

I do too except the "connection refused" can happen for a normal person accessing the site. A DNS challenge could get the cert but still have this access problem.

Still, we don't know who all is affected. Maybe it's just people outside their hosting local region which might be ok.

I found the most recent thread we worked on this. You can see the browser failing to get the home page and quickly reload and see the expected home page (in that case just a landing page for new site).

@jakeqz TSOHOST is owned by GoDaddy

4 Likes

In the failure case (`.uk), logs show the server responding to the first request, then no more (whether the response be a 301 redirect to HTTPS, or the actual data requested with a 200 response).

In the successful case (.com), I see two more requests all from different IP addresses, then a getssl local request, then two more from LE (the first one from the same IP as the first previous).

Did it succeed sometimes? And have you tried with the .org or .com domain?

Guess I will have to phone GoDaddy and waste several days trying to convince them it's a problem their end. Or...

I need to switch hosting providers anyway, since GoDaddy are useless in every department. Any recommendations? Moving elsewhere might actually be less of a headache than dealing with this issue anyway.

1 Like

I didn't test as thoroughly as @MikeMcQ did, but it did seem to fail once, and then work for a while, yes.

No, I hadn't.

I think the consensus around here tends to be that the only advantage GoDaddy may have is that they can be cheap, if you don't mind working around their systems and attempts to upsell you.

There is a semi-official forum recommendation list listing providers that are known to have integration with Let's Encrypt for getting certificates. But of course, there are other considerations one might want to consider when choosing a hosting company. At this point, having good free integration with getting a certificate (regardless of CA) is the bare minimum one would expect.

4 Likes

I have managed so far (e.g. using cPanel uapi to install the Let's Encrypt certificates as part of an automated process). But am stuck on this. If it is a firewall issue, why is it only blocking requests to .uk domains, and why are they getting as far as Apache sending the response out? And why has it suddenly stopped working?

Could you try this with a non-.uk domain, such as https://www.sunningwellvillagehall.org/?

I cannot reproduce your results from within the UK.

However, it is seeming that access to .uk domain names, hosted on a GoDaddy-owned platform, accessed from outside the UK, suffers this problem.

I see the identical symptom with your .org domain as with the .uk (see below). I don't see this as tld related (even before this test). This is most likely some odd network level firewall or faulty routing gear.

I might try later with a UK based presence. It is possible this network failure only affects outside the hosted region (of indeterminate scope). If that's true and your site users are all local that might not bother you. Although search crawlers could potentially be affected too impacting SEO.

It does impact Let's Encrypt HTTP Challenges as these requests are made from several points around the globe. The test server I've been using is in AWS on the US East Coast.

Did you see the link to the previous thread where I showed the browser getting the failure too? That could be happening to your sites even now. You could use a DNS Challenge to get the cert knowing some people will be affected.

curl -I https://www.sunningwellvillagehall.org
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to www.sunningwellvillagehall.org:443

curl -I https://www.sunningwellvillagehall.org
HTTP/2 200
date: Fri, 21 Jul 2023 02:12:16 GMT
server: Apache

curl -I https://www.sunningwellvillagehall.org
HTTP/2 200
date: Fri, 21 Jul 2023 02:12:17 GMT
server: Apache

curl -I https://www.sunningwellvillagehall.org
HTTP/2 200
date: Fri, 21 Jul 2023 02:12:19 GMT
server: Apache

(waited about 3 mins again - see timestamp in next request)
curl -I https://www.sunningwellvillagehall.org
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to www.sunningwellvillagehall.org:443

curl -I https://www.sunningwellvillagehall.org
HTTP/2 200
date: Fri, 21 Jul 2023 02:15:18 GMT
server: Apache
5 Likes

Adding on to my previous post I found one thing interesting ...

I now realize that after the initial "reset" failure (with either .org or .uk) I can immediately curl to both .org and .uk successfully. In other words, one reset failure "opens the door" for success to both domains. Wait 3 mins (probably even less) and again will get a "reset" to either one followed by success to both.

5 Likes

I've asked GoDaddy to look into this. Issue was escalated. They might get back to me.

2 Likes

Somebody posted info on how to set up getssl with DNS validation.

But I can't find it now in this quagmire.

Can you post it again?

GoDaddy have not got back to me. They probably closed the case as "too awkward". A previous issue with their servers was solved by rebooting. They never told me about that fix either, but I found everything magically working again and server uptime less than a day (whereas it is normally hundreds).

GoDaddy claim "Award-Winning Customer Service". What awards, specifically? Are there 'Raspberry' awards for customer service? They might be eligible for those.

1 Like

You might try this wiki

And this

3 Likes

The SSLs managed to get renewed via the cron job eventually. Not sure how. Weird thing is the start date is the date of this thread, and they hadn't been installed when I checked a week later.

GoDaddy never got back to me. Though that's most I'd expect from such a disgraceful organization. (This company is out of order. Please use another one.)

2 Likes

Thanks for update and glad you got a cert.

I just checked 3 domains mentioned in this thread and none of them get a "reset" error anymore. I guess that's something.

Wish we knew how to make that happen :slight_smile:

5 Likes

Aww. Thanks. I am honestly at tearpoint re the help I've received here. You are beautiful people.

It wasn't a server reboot. Says it's been running for 31 days. GoDaddy have a habit of quietly fixing problems but not bothering to tell you that they have. Though if I've specifically reported a problem and been promised a reply, I expect it.

I can dis-recommend GoDaddy. Avoid on all levels.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.