Connection reset by peer Status 400

Vscpp · September 13, 2022, 9:39am

My domain is:
q.ezecom.com.kh

I ran this command:
curl http://q.ezecom.com.kh/.well-known/acme-challenge/OcspA6-tMRcUNOYtbk-oYyJhaep0D5qA4jUlW4q7DFU

It produced this output:
Successful

My web server is (include version):
nginx 1.23.1

The operating system my web server runs on is (include version):
Win server 2019

My hosting provider, if applicable, is:
self

I can login to a root shell on my machine (yes or no, or I don't know):
no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
win-acme

===================================

But Win-ACME failed with the following output:

First chance error calling into ACME server, retrying with new nonce...
Cached order has status invalid, discarding
[q.ezecom.com.kh] Authorizing...
[q.ezecom.com.kh] Authorizing using http-01 validation (FileSystem)
Answer should now be browsable at http://q.ezecom.com.kh/.well-known/acme-challenge/3m3L6P7oe4JOedfnE3if7VSuUqCMcAOrpPU5_ewiSXI
Preliminary validation failed because 'An error occurred while sending the request.'
[q.ezecom.com.kh] Authorization result: invalid
[q.ezecom.com.kh] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "119.82.249.222: Fetching http://q.ezecom.com.kh/.well-known/acme-challenge/3m3L6P7oe4JOedfnE3if7VSuUqCMcAOrpPU5_ewiSXI: Connection reset by peer",
"status": 400
}
[q.ezecom.com.kh] Deactivating pending authorization

MikeMcQ · September 13, 2022, 2:15pm

@Vscpp Welcome to the community

You are another one affected by a Palo Alto Networks brand firewall. They changed a default setting in their gear earlier this year and we have seen this regularly.

You should talk to your network admins and have them change the Application Rule for "ACME protocol".

As a test, the below request should reply with a 404 Not Found. Instead, it gets the "reset by peer" error. In your case, you must use the -A as shown as that is the user-agent used by Let's Encrypt servers. You can use this sample curl and URL to test the setting was changed properly

curl -I q.ezecom.com.kh/.well-known/acme-challenge/SampleToken -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer

Should get this, even with that -A value, instead
curl -I q.ezecom.com.kh/.well-known/acme-challenge/SampleToken
HTTP/1.1 404 Not Found
Server: nginx/1.23.1
Date: Tue, 13 Sep 2022 14:13:40 GMT

Vscpp · September 13, 2022, 11:57pm

Thanks MikeMcQ, the problem solved!!!!!

system · October 13, 2022, 11:58pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.