During secondary validation: Remote PerformValidation RPC failed

fhdev · June 17, 2022, 11:10pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: machineshedsports.com

I ran this command: certbot renew -v

It produced this output:

The following errors were reported by the server:

Domain: www.machineshedsports.com
Type: serverInternal
Detail: During secondary validation: Remote PerformValidation RPC
failed

Domain: machineshedsports.com
Type: serverInternal
Detail: During secondary validation: Remote PerformValidation RPC
failed

Unfortunately, an error on the ACME server prevented you from
completing authorization. Please try again later.

My web server is (include version): Server version: Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS Linux release 7.7.1908

My hosting provider, if applicable, is: self/not applicable

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.39.0

other notes:
validation was attempted using http-01, while it was running i manually checked that the server was able to serve back the challenge at machineshedfitness.com/.well-known/acme-challenge/XXXXXXX and it was serving the token at that url as expected so it would appear the issue is on letsencrypt side? any help appreciated

petercooperjr · June 17, 2022, 11:42pm

I would concur, as pretty much any "serverInternal" error would be.

Have you tried again later?

fhdev · June 17, 2022, 11:43pm

yep, i tried again just now, same result

I did check https://letsencrypt.status.io/ before posting, but it doesn't list any issues currently....

cigamit · June 17, 2022, 11:44pm

I have the same issue on 2 separate servers.

fhdev · June 17, 2022, 11:44pm

same, i have two servers currently that are doing this

petercooperjr · June 17, 2022, 11:44pm

So based on when you first posted, you've been experiencing this for over half an hour? Very odd.

@lestaff, I'm going to throw this one to you guys.

fhdev · June 17, 2022, 11:51pm

yeah, not sure where to go at this point besides waiting even longer before "trying again later"

I am using webroot/http validation method

I ran certbot with verbose, it shows

Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/XXXXX

response is
{
"identifier": {
"type": "dns",
"value": "machineshedsports.com"
},
"status": "pending",
"expires": "2022-06-24T23:46:49Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXX/Kjy-DQ",
"token": "XXX"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXX/C6xwlw",
"token": "XXX"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXX/Zykj1Q",
"token": "XXX"
}
]
}

I then check the webroot path and the file is there for
.well-known/acme-challenge/XXXXX

I then load that in the browser using machineshedfitness.com/.well-known/acme-challenge/XXX and it shows the token

so everything on this end look correct, just fails back with that error from certbot
{
"identifier": {
"type": "dns",
"value": "machineshedsports.com"
},
"status": "invalid",
"expires": "2022-06-24T23:46:49Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:serverInternal",
"detail": "During secondary validation: Remote PerformValidation RPC failed",
"status": 500
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/XXX/XXX",
"token": "XXX",
"validationRecord": [
{
"url": "http://machineshedsports.com/.well-known/acme-challenge/XXX",
"hostname": "machineshedsports.com",
"port": "80",
"addressesResolved": [
"157.245.236.25"
],
"addressUsed": "157.245.236.25"
},
{
"url": "https://machineshedfitness.com/.well-known/acme-challenge/XXX",
"hostname": "machineshedfitness.com",
"port": "443",
"addressesResolved": [
"157.245.236.25"
],
"addressUsed": "157.245.236.25"
}
],
"validated": "2022-06-17T23:46:49Z"
}
]
}

fhdev · June 18, 2022, 12:07am

well, i guess it was just a "try again a lotta bit later" issue, cause it just went through

cmsamsi · June 18, 2022, 12:12am

FYI. I am having this problem too. It only happens to one of my domains, the others worked fine.

Frustrating ...

fhdev · June 18, 2022, 12:13am

yeah, i kept waiting for a red bubble on https://letsencrypt.status.io/ but it still shows green

or at least one of those "purple.... degraded" indicators

cmsamsi · June 18, 2022, 12:15am

Wow this is aggravating from beginning to working took 4 hours of waiting.

What kind of internal server issues are you folks having? Curious ...

Phil · June 18, 2022, 12:18am

I pushed out a bad config change while altering some syslog values in the RVA config. The syslog block goes in the syslog hole, not the RVA. Secondary validation failures should be clearing up in staging and prod right now. A future improvement will be to run config tests prior to restarting that daemon. I'll get a status.io backfilled.

fhdev · June 18, 2022, 12:19am

glad that it wasn't something I did and that it should be clearing up

fhdev · June 18, 2022, 12:25am

"bad config change while altering some syslog values" we'll just call that a "Phil" from now on

system · July 18, 2022, 12:25am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.