Connection reset by peer on https to eff / infinite redirection loop

Good morning!

I'm trying to get a new installation up and running. I added the virtual host for port 80, and have otherwise made no changes to my server configuration. Two things appear to be going wrong; I have no idea whether or not they are possibly related.

  1. I get a connection reset by peer error when certbot attempts to https to supporters.eff.org.
  2. I get an infinite redirection loop when I try to connect to my site securely; no redirection appears to be happening when I connect insecurely.

I observe from other posts that (1) is probably a firewall issue; I'm looking into it, but any other insight would be appreciated.

For (2), I've tried a variety of things that I've found in the forums here, but nothing has worked yet. The contents of my conf files follow.

<VirtualHost *:80>
        ServerName rssl.ece.mcgill.ca
        Redirect / https://rssl.ece.mcgill.ca
RewriteEngine on
RewriteCond %{SERVER_NAME} =rssl.ece.mcgill.ca
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName rssl.ece.mcgill.ca
        Redirect / https://rssl.ece.mcgill.ca

SSLCertificateFile /etc/letsencrypt/live/rssl.ece.mcgill.ca/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/rssl.ece.mcgill.ca/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/rssl.ece.mcgill.ca/chain.pem
</VirtualHost>
</IfModule>

Thank you for your time!!
Brett

=-=-=

My domain is: rssl.ece.mcgill.ca
I ran this command: sudo /var/lib/snapd/snap/bin/certbot -v --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: rssl.ece.mcgill.ca
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/rssl.ece.mcgill.ca.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying certificate
Created an SSL vhost at /etc/httpd/conf.d/rssl.ece.mcgill.ca-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/rssl.ece.mcgill.ca-le-ssl.conf
Successfully deployed certificate for rssl.ece.mcgill.ca to /etc/httpd/conf.d/rssl.ece.mcgill.ca-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/rssl.ece.mcgill.ca.conf to ssl vhost in /etc/httpd/conf.d/rssl.ece.mcgill.ca-le-ssl.conf
Congratulations! You have successfully enabled HTTPS on https://rssl.ece.mcgill.ca
Subscribe to the EFF mailing list (email: brett.meyer@mcgill.ca).
An unexpected error occurred:
requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

There's more detail in the log:

2022-08-31 09:38:24,390:INFO:certbot._internal.eff:Subscribe to the EFF mailing list (email: brett.meyer@mcgill.ca).
2022-08-31 09:38:24,390:DEBUG:certbot._internal.eff:Sending POST request to https://supporters.eff.org/subscribe/certbot:
{'data_type': 'json', 'email': 'brett.meyer@mcgill.ca', 'form_id': 'eff_supporters_library_subscribe_form'}
2022-08-31 09:38:24,392:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): supporters.eff.org:443
2022-08-31 09:38:24,616:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1040, in _validate_conn
    conn.connect()
  File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/urllib3/connection.py", line 416, in connect
    self.sock = ssl_wrap_socket(
  File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/var/lib/snapd/snap/certbot/2192/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/var/lib/snapd/snap/certbot/2192/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/var/lib/snapd/snap/certbot/2192/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/var/lib/snapd/snap/certbot/2192/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer

My web server is (include version): Apache/2.4.6 (CentOS)
The operating system my web server runs on is (include version): CentOS 7.9.2009 (Core)
I can login to a root shell on my machine (yes or no, or I don't know): no, but I can sudo
I'm using a control panel to manage my site: no -- ssh and command line

The version of my client is: 1.29.0

1 Like

Hello @bretthmeyer, welcome to the Let's Encrypt community. :slightly_smiling_face:

I am finding using Let's Debug a BadRedirect
And you have received certificates from Let's Encrypt crt.sh | rssl.ece.mcgill.ca

Also using Redirect Checker | Check your Statuscode 301 vs 302
here is what is happening with the redirects, looping for ever.

2 Likes

Here is what the redirects look like for the Let's Encrypt acme challenge. Also wrong but in different way than for your home page:

curl -I rssl.ece.mcgill.ca/.well-known/acme-challenge/Test123
HTTP/1.1 301 Moved Permanently
Location: https://rssl.ece.mcgill.ca/.well-known/acme-challenge/Test123

curl -I https://rssl.ece.mcgill.ca/.well-known/acme-challenge/Test123
HTTP/1.1 302 Found
Location: https://rssl.ece.mcgill.ca.well-known/acme-challenge/Test123

curl -I https://rssl.ece.mcgill.ca.well-known/acme-challenge/Test123
curl: (6) Could not resolve host: rssl.ece.mcgill.ca.well-known

Note the "location" for the 302 Found has lost a forward slash

3 Likes

Nice work @MikeMcQ :100: :white_check_mark: :smile:

2 Likes

Thank you for the help, and the welcome!

Changing MTU to 1300 corrected the issue with not being able to HTTPS to EFF. I had tried that before, too, as directed by a thread elsewhere; I'm not sure why it worked the second time and not the first.

For the redirection loop, certbot copied the .conf I made to establish the virtual host, which meant that the .conf for SSL was also redirecting, which was a problem!

Cheers,
Brett

1 Like