Connection Reset Error

My domain is: shortgrass.ca

I ran this command: certbot run -v

It produced this output:

root@ModX:/var/log/letsencrypt# certbot run -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: shortgdev.ca
2: alcoma.shortgdev.ca
3: bassano.shortgdev.ca
4: bowisland.shortgdev.ca
5: brooks.shortgdev.ca
6: duchess.shortgdev.ca
7: foremost.shortgdev.ca
8: gem.shortgdev.ca
9: graham.shortgdev.ca
10: irvine.shortgdev.ca
11: mhpl.shortgdev.ca
12: redcliff.shortgdev.ca
13: rollinghills.shortgdev.ca
14: rosemary.shortgdev.ca
15: tilley.shortgdev.ca
16: www.shortgdev.ca
17: shortgrass.ca
18: alcoma.shortgrass.ca
19: bassano.shortgrass.ca
20: bowisland.shortgrass.ca
21: brooks.shortgrass.ca
22: duchess.shortgrass.ca
23: foremost.shortgrass.ca
24: gem.shortgrass.ca
25: graham.shortgrass.ca
26: irvine.shortgrass.ca
27: mhpl.shortgrass.ca
28: redcliff.shortgrass.ca
29: rollinghills.shortgrass.ca
30: rosemary.shortgrass.ca
31: tilley.shortgrass.ca
32: www.shortgrass.ca
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/shortgrass.ca.conf)

It contains these names: shortgrass.ca, alcoma.shortgrass.ca,
bassano.shortgrass.ca, bowisland.shortgrass.ca, brooks.shortgrass.ca,
duchess.shortgrass.ca, foremost.shortgrass.ca, gem.shortgrass.ca,
graham.shortgrass.ca, irvine.shortgrass.ca, mhpl.shortgrass.ca,
redcliff.shortgrass.ca, rollinghills.shortgrass.ca, rosemary.shortgrass.ca,
tilley.shortgrass.ca, www.shortgrass.ca

You requested these names for the new certificate: shortgdev.ca,
alcoma.shortgdev.ca, bassano.shortgdev.ca, bowisland.shortgdev.ca,
brooks.shortgdev.ca, duchess.shortgdev.ca, foremost.shortgdev.ca,
gem.shortgdev.ca, graham.shortgdev.ca, irvine.shortgdev.ca, mhpl.shortgdev.ca,
redcliff.shortgdev.ca, rollinghills.shortgdev.ca, rosemary.shortgdev.ca,
tilley.shortgdev.ca, www.shortgdev.ca, shortgrass.ca, alcoma.shortgrass.ca,
bassano.shortgrass.ca, bowisland.shortgrass.ca, brooks.shortgrass.ca,
duchess.shortgrass.ca, foremost.shortgrass.ca, gem.shortgrass.ca,
graham.shortgrass.ca, irvine.shortgrass.ca, mhpl.shortgrass.ca,
redcliff.shortgrass.ca, rollinghills.shortgrass.ca, rosemary.shortgrass.ca,
tilley.shortgrass.ca, www.shortgrass.ca.

Do you want to expand and replace this existing certificate with the new
certificate?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(E)xpand/(C)ancel: E
Renewing an existing certificate for shortgdev.ca and 31 more domains
Performing the following challenges:
http-01 challenge for alcoma.shortgdev.ca
http-01 challenge for bassano.shortgdev.ca
http-01 challenge for bassano.shortgrass.ca
http-01 challenge for bowisland.shortgdev.ca
http-01 challenge for brooks.shortgdev.ca
http-01 challenge for duchess.shortgdev.ca
http-01 challenge for duchess.shortgrass.ca
http-01 challenge for foremost.shortgdev.ca
http-01 challenge for gem.shortgdev.ca
http-01 challenge for graham.shortgdev.ca
http-01 challenge for irvine.shortgdev.ca
http-01 challenge for mhpl.shortgdev.ca
http-01 challenge for redcliff.shortgdev.ca
http-01 challenge for rollinghills.shortgdev.ca
http-01 challenge for rosemary.shortgdev.ca
http-01 challenge for shortgdev.ca
http-01 challenge for shortgrass.ca
http-01 challenge for tilley.shortgdev.ca
http-01 challenge for www.shortgdev.ca
Waiting for verification...
Challenge failed for domain alcoma.shortgdev.ca
Challenge failed for domain bassano.shortgdev.ca
Challenge failed for domain bowisland.shortgdev.ca
Challenge failed for domain brooks.shortgdev.ca
Challenge failed for domain duchess.shortgdev.ca
Challenge failed for domain foremost.shortgdev.ca
Challenge failed for domain gem.shortgdev.ca
Challenge failed for domain graham.shortgdev.ca
Challenge failed for domain irvine.shortgdev.ca
Challenge failed for domain mhpl.shortgdev.ca
Challenge failed for domain redcliff.shortgdev.ca
Challenge failed for domain rollinghills.shortgdev.ca
Challenge failed for domain rosemary.shortgdev.ca
Challenge failed for domain shortgdev.ca
Challenge failed for domain tilley.shortgdev.ca
Challenge failed for domain www.shortgdev.ca
Challenge failed for domain bassano.shortgrass.ca
Challenge failed for domain duchess.shortgrass.ca
Challenge failed for domain shortgrass.ca
http-01 challenge for alcoma.shortgdev.ca
http-01 challenge for bassano.shortgdev.ca
http-01 challenge for bowisland.shortgdev.ca
http-01 challenge for brooks.shortgdev.ca
http-01 challenge for duchess.shortgdev.ca
http-01 challenge for foremost.shortgdev.ca
http-01 challenge for gem.shortgdev.ca
http-01 challenge for graham.shortgdev.ca
http-01 challenge for irvine.shortgdev.ca
http-01 challenge for mhpl.shortgdev.ca
http-01 challenge for redcliff.shortgdev.ca
http-01 challenge for rollinghills.shortgdev.ca
http-01 challenge for rosemary.shortgdev.ca
http-01 challenge for shortgdev.ca
http-01 challenge for tilley.shortgdev.ca
http-01 challenge for www.shortgdev.ca
http-01 challenge for bassano.shortgrass.ca
http-01 challenge for duchess.shortgrass.ca
http-01 challenge for shortgrass.ca

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: bassano.shortgrass.ca
  Type:   connection
  Detail: During secondary validation: Fetching http://bassano.shortgrass.ca/.well-known/acme-challenge/o3PeHWUVj85_6avnQix6ABHfCPrmIypcIapS9brDUcI: Connection reset by peer

  Domain: duchess.shortgrass.ca
  Type:   connection
  Detail: Fetching http://duchess.shortgrass.ca/.well-known/acme-challenge/hcfgStBEOJHihKh-P2biXkuyULv_46xvwA589l3XZcc: Connection reset by peer

  Domain: shortgrass.ca
  Type:   connection
  Detail: During secondary validation: Fetching http://shortgrass.ca/.well-known/acme-challenge/U6ASk-GSINi_kMHnEzjbOzVnZAGQbGJwS0a2UJOZBLg: Connection reset by peer

  Domain: alcoma.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for alcoma.shortgdev.ca - check that a DNS record exists for this domain

  Domain: bassano.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for bassano.shortgdev.ca - check that a DNS record exists for this domain

  Domain: bowisland.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for bowisland.shortgdev.ca - check that a DNS record exists for this domain

  Domain: brooks.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for brooks.shortgdev.ca - check that a DNS record exists for this domain

  Domain: duchess.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for duchess.shortgdev.ca - check that a DNS record exists for this domain

  Domain: foremost.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for foremost.shortgdev.ca - check that a DNS record exists for this domain

  Domain: gem.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for gem.shortgdev.ca - check that a DNS record exists for this domain

  Domain: graham.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for graham.shortgdev.ca - check that a DNS record exists for this domain

  Domain: irvine.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for irvine.shortgdev.ca - check that a DNS record exists for this domain

  Domain: mhpl.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for mhpl.shortgdev.ca - check that a DNS record exists for this domain

  Domain: redcliff.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for redcliff.shortgdev.ca - check that a DNS record exists for this domain

  Domain: rollinghills.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for rollinghills.shortgdev.ca - check that a DNS record exists for this domain

  Domain: rosemary.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for rosemary.shortgdev.ca - check that a DNS record exists for this domain

  Domain: shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for shortgdev.ca - check that a DNS record exists for this domain

  Domain: tilley.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for tilley.shortgdev.ca - check that a DNS record exists for this domain

  Domain: www.shortgdev.ca
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up A for www.shortgdev.ca - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-62-generic x86_64)

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.20.0

Hello @Edi_Matthews,

I'm receiving the same error (Connection reset by peer) trying to access your sites.

Example:

$ for i in {1..5}; do LANG=C curl -IkL http://bassano.shortgrass.ca/.well-known/acme-challenge/o3PeHWUVj85_6avnQix6ABHfCPrmIypcIapS9brDUcI;sleep 1;done           
HTTP/1.1 301 Moved Permanently
Date: Tue, 12 Oct 2021 18:18:41 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: https://bassano.shortgrass.ca/index.php?q=.well-known/acme-challenge/o3PeHWUVj85_6avnQix6ABHfCPrmIypcIapS9brDUcI
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 404 Not Found
Date: Tue, 12 Oct 2021 18:18:42 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: PHPSESSID=hviva5vtiour29el900q23u11p; expires=Tue, 19-Oct-2021 18:18:42 GMT; Max-Age=604800; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8

curl: (56) Recv failure: Connection reset by peer
curl: (56) Recv failure: Connection reset by peer
HTTP/1.1 301 Moved Permanently
Date: Tue, 12 Oct 2021 18:19:15 GMT
Server: Apache/2.4.18 (Ubuntu)
Location: https://bassano.shortgrass.ca/index.php?q=.well-known/acme-challenge/o3PeHWUVj85_6avnQix6ABHfCPrmIypcIapS9brDUcI
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 404 Not Found
Date: Tue, 12 Oct 2021 18:19:16 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: PHPSESSID=q2rsgisqs6pg2u8c8m859v7em4; expires=Tue, 19-Oct-2021 18:19:16 GMT; Max-Age=604800; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Type: text/html; charset=UTF-8

curl: (56) Recv failure: Connection reset by peer

I tried to reach your acme challenge 5 times and I received 3 times the error.

Also, some of your domains don't have an A record so no one can reach them.

Regarding the DNS problem, just add to your DNS server the right A records pointing to your server. Regarding the connection reset by peer error don't know what is going on your server so I can't help here.

Cheers,
sahsanu

1 Like

Okay, so I got some of my domains SSL certs, but not all of them. I just excluded the domains that were giving me errors.


root@ModX:/var/log/letsencrypt# certbot run  --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: shortgdev.ca
2: alcoma.shortgdev.ca
3: bassano.shortgdev.ca
4: bowisland.shortgdev.ca
5: brooks.shortgdev.ca
6: duchess.shortgdev.ca
7: foremost.shortgdev.ca
8: gem.shortgdev.ca
9: graham.shortgdev.ca
10: irvine.shortgdev.ca
11: mhpl.shortgdev.ca
12: redcliff.shortgdev.ca
13: rollinghills.shortgdev.ca
14: rosemary.shortgdev.ca
15: tilley.shortgdev.ca
16: www.shortgdev.ca
17: shortgrass.ca
18: alcoma.shortgrass.ca
19: bassano.shortgrass.ca
20: bowisland.shortgrass.ca
21: brooks.shortgrass.ca
22: duchess.shortgrass.ca
23: foremost.shortgrass.ca
24: gem.shortgrass.ca
25: graham.shortgrass.ca
26: irvine.shortgrass.ca
27: mhpl.shortgrass.ca
28: redcliff.shortgrass.ca
29: rollinghills.shortgrass.ca
30: rosemary.shortgrass.ca
31: tilley.shortgrass.ca
32: www.shortgrass.ca
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 18 20 21 23 24 25 26 27 28 29 30 31 32
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.shortgrass.ca.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for www.shortgrass.ca and 12 more domains

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/www.shortgrass.ca/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/www.shortgrass.ca/privkey.pem
This certificate expires on 2022-01-10.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for www.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for alcoma.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for bowisland.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for brooks.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for foremost.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for gem.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for graham.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for irvine.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for mhpl.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for redcliff.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for rollinghills.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for rosemary.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Successfully deployed certificate for tilley.shortgrass.ca to /etc/apache2/sites-enabled/default-ssl.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

One of our IT support fellows recommended I
"adjust your CNAME for www, so it points right to the IP instead of shortgrass.ca as a workaround for now"

**I noticed the server's etc/resolv.conf is only pointing to 8.8.8.8 and that should be the 2nd DNS server (we host our own dns server) **

Is updating the resolv.conf file on the webserver to point at my own DNS server, my next troubleshooting step? (to get bassano.shortgrass.ca, duchess.shortgrass.ca, and most importantly, shortgrass.ca and SSL cert?)

I'll really new to linux server administration, thanks for all the help so far sahsanu

1 Like

That won't have any affect on:

I get:
nslookup brooks.shortgdev.ca
*** [several DNS servers] can't find brooks.shortgdev.ca: Non-existent domain

EDIT: I see now that you excluded that domain and were able to get a cert for the names on the other domain :slight_smile:

1 Like

shortgdev.ca is not even registered.


whois shortgdev.ca                                                                                                                                
Not found: shortgdev.ca

%
% Use of CIRA's WHOIS service is governed by the Terms of Use in its Legal
% Notice, available at http://www.cira.ca/legal-notice/?lang=en
%
% (c) 2021 Canadian Internet Registration Authority, (http://www.cira.ca/)
2 Likes

I got help from third party IT support. I modified the DNS TXT records and completed the three sites that were having issues via DNS challenge. This got those three sites working, but broke all the other sites.

I pushed
"certbot run --apache"
command for all the non .shortgdev.ca domains which completely successfully. All the SSL certs have been successfully installed (all the ones I cared about at least.)

I'm not sure why DNS TXT records fixed it. (expert explanation would be worthwhile, mostly for others in the future who finding this thread and hope it helps them find a solution to their problem)

Regardless, thanks for the help!

1 Like

I'm pretty sure that is more like a "workaround" (the problem) than an actual "fix" of it.
And you will surely be having it again in 60-90 days (unless something actually gets fixed).

I suspect that the HTTP challenge requests aren't being handled as needed.
And confirmed by this... PHP mutilation of it:

curl tilley.shortgrass.ca/.well-known/acme-challenge/Test-File-1234
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://tilley.shortgrass.ca/index.php?q=.well-known/acme-challenge/Test-File-1234">here</a>.</p>
<hr>
<address>Apache/2.4.18 (Ubuntu) Server at tilley.shortgrass.ca Port 80</address>
</body></html>

This will never find what it is looking for:
https://tilley.shortgrass.ca/index.php?q=.well-known/acme-challenge/Test-File-1234

1 Like