Connection reset by peer on renewal

nafas · November 13, 2018, 2:12pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: areyvah.tv

I ran this command: certbot certonly -a webroot --webroot-path=/var/www/html --agree-tos -n -d www.areyvah.com -d areyvah.com --email support@unreel.me --force-renewal

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.areyvah.com
http-01 challenge for areyvah.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. areyvah.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://areyvah.com/.well-known/acme-challenge/9cBT5cSTLeG9TRQ_WMyh4KVvTmWO0zQ6Upsk4Um3pnM: Connection reset by peer

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: areyvah.com
Type: connection
Detail: Fetching
http://areyvah.com/.well-known/acme-challenge/9cBT5cSTLeG9TRQ_WMyh4KVvTmWO0zQ6Upsk4Um3pnM:
Connection reset by peer

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

My web server is (include version): nginx version: nginx/1.4.6 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Additionally:

cetbot version 0.26.1

there is a redirect to https and prefixing with www (bot are going with 302)
/.well-known/acme-challenge contents are fully accessible from browser. There are no A or AAAA records in the respective NS-zone, because it’s a regular CNAME

server is listening 80,443 @IPv4, IPv6

Operational log is under the link
https://drive.google.com/open?id=1gADvCXvU4flFVw7B-GLMDHNiacXykFiI

mnordhoff · November 13, 2018, 3:19pm

areyvah.com.  300  A     198.211.118.227
areyvah.com.  300  AAAA  2a03:b0c0:0:1010::1423:6001

When connecting to http://areyvah.com/ over IPv6, I get a “Connection reset by peer” error. Over IPv4, I get a redirect to https://www.areyvah.com/.

Are you sure that IPv6 address is correct? Are the networking configuration, firewalls, and web server configuration okay?

JuergenAuer · November 13, 2018, 3:33pm

Hi @nafas

there is another error: Checking

http://areyvah.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

there is a redirect to

https://www.areyvah.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de

there is a http status 200, not 404. So there is not the validation file sent Letsencrypt wants to check.

nafas · November 13, 2018, 3:37pm

there is another location for assets serving by nodejs (le.conf that included in every conf)

location ~ /.well-known {
try_files $uri $uri/ @node;
allow all;
log_not_found off;
root /var/www/html/;
}
location @node {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://unreel_me_backend;
proxy_redirect off;
}

nafas · November 13, 2018, 3:40pm

I’ve been trying do disable ufw among all cluster hosts, issue still the same.

nafas · November 13, 2018, 3:43pm

I think the issue is with WWW redirect, because right now I got cert with easily by invoking:

certbot certonly -a webroot --webroot-path=/var/www/html --agree-tos -n -d www.areyvah.com --email support@unreel.me

JuergenAuer · November 13, 2018, 3:44pm

Then you must tell Certbot the root of this directory, so certbot can create the validation file under

/yourroot/.well-known/acme-challenge/validationfile

PS: Remove your ipv6 - AAAA entry.

nafas · November 13, 2018, 3:46pm

Validationfiles are being created and served correctly, tried that several times. Anyways, thanks for suggestion, Herr Auer

nafas · November 13, 2018, 3:48pm

There is no AAAA or A entries at all. Only CNAME and ALIAS

JuergenAuer · November 13, 2018, 3:49pm

My own tool says - no.

https://check-your-website.server-daten.de/?q=areyvah.com

Letsdebug says - no:

AAAANotWorking

Error

areyvah.com has an AAAA (IPv6) record (2a03:b0c0:0:1010::1423:6001) but a test request to this address over port 80 did not succeed. Let's Encrypt will prefer to use AAAA records, if present, and will not fall back to IPv4 records. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.

Get http://areyvah.com/.well-known/acme-challenge/letsdebug-test: read tcp [2600:3c03::f03c:91ff:fea2:6a56]:56588->[2a03:b0c0:0:1010::1423:6001]:80: read: connection reset by peer

Trace:
@0ms: Making a request to http://areyvah.com/.well-known/acme-challenge/letsdebug-test (using initial IP 2a03:b0c0:0:1010::1423:6001)
@0ms: Dialing 2a03:b0c0:0:1010::1423:6001
@173ms: Experienced error: read tcp [2600:3c03::f03c:91ff:fea2:6a56]:56588->[2a03:b0c0:0:1010::1423:6001]:80: read: connection reset by peer

IssueFromLetsEncrypt

Error

A test authorization for areyvah.com to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

Fetching http://areyvah.com/.well-known/acme-challenge/z7N2YaxJNGmb4EWvVIpJShZx4hQOXk4xRcAVU3-vSDQ: Connection reset by peer

mnordhoff · November 13, 2018, 3:49pm

areyvah.com and www.areyvah.com have different IP addresses.

areyvah.com.          266   A      198.211.118.227
areyvah.com.          266   AAAA   2a03:b0c0:0:1010::1423:6001

www.areyvah.com.      1779  CNAME  areyvahtv.unreel.me.
areyvahtv.unreel.me.  1779  A      192.81.215.220
areyvahtv.unreel.me.  1779  AAAA   2604:a880:2:d0::4a54:a001

I still get a “connection reset by peer” error on areyvah.com's IPv6 address.

nafas · November 13, 2018, 3:51pm

Let me check, it looks like NS1 balancer has sent the redirect to another cluster member. Thanks for the hint

nafas · November 13, 2018, 3:53pm

Yes, both addresses are our, and both hosts have the same shared root folder for serving challenges. It’s weird, that second host doesn’t return requested data

nafas · November 13, 2018, 4:02pm

Thanks a ton! I found a glitch it the default_server statement listen directive on the host - there was

listen [::]:80 ssl;

My apologies for disturbance. Have a good one!

system · December 13, 2018, 4:02pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Connection reset by peer Help	4	1759	April 29, 2022
Certificate Manual renew error : Connection reset by peer Help	3	520	July 26, 2022
Certbot renew failure connection reset by peer Help	9	1173	May 19, 2022
Connection Reset by Peer - Certbot Renew Fails Help	40	5798	September 23, 2022
Renewal failure: "Connection reset by peer" Help	9	5825	May 26, 2022

Connection reset by peer on renewal

Related topics