Error getting validation data

Help
1

My domain is:
escm.ca

Internet provider:
Rogers in Ottawa, Ontario, Canada

I ran this command:
certbot certonly --nginx -d escm.ca --dry-run
certbot certonly --webroot -w /var/www/correct-directory -d escm.ca --dry-run
certbot certonly --standalone -d escm.ca --dry-run

It produced this output:
Some challenges have failed.

My web server is (include version):
nginx/1.22.0

The operating system my web server runs on is (include version):
Debian 10.13 buster (Yes, I will upgrade another time...)

My hosting provider, if applicable, is:
Personal server at home.

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 5.2.2 (installed via snap)

Hi all,

I'm getting consistent failure during secondary validation with "Error getting validation data" and status 400 in the JSON. I've tried certbot with Nginx, webroot, and standalone, and all fail. Nginx is stripped down to minimal default and escm.ca servers on port 80 only (443 and everything else temporarily disabled), I disabled some static filtering in the firewall, and DNS tests are fine. Certbot primary challenges work 99% of the time, but secondary ones fail. What's concerning me is I see "No route to host" in Let's Debug, and sporadic "No route to host" and "Connection timed out" on https://check-host.net/check-http?host=escm.ca. I'm less concerned about connections from China, but it happens with tests from the US as well (I'm in Canada). Which tests that fail appears to be random, and I have seen each of them work on occasion. I tried HTTP/1 Web Server Test and it works and fails alternately every other time. This happened on another test site with "No route to host" Then of course Let's Encrypt secondary validation mystery servers fail consistently...

Any ideas?

A bit of back story: I disabled OCSP on the certificates months ago and things were working fine. Then I discovered my web server wasn't working and certs expired because the system disk was full. I cleared space and discovered this problem. I wasn't otherwise in there playing with config or anything and this is a pretty barebones Debian and Nginx setup serving a static web site. No Docker or weird host setup, no adaptive filtering or anything on the gateway... I know the Sysadmin's Haiku though and since I know the problem is not DNS, it must be DNS. Joking aside, DNS config and tests appear fine as always. Is the internet broken?

This is similar to a problem I had a few years ago, but not the same. Pings fixed it then for some reason but don't seem related now. Enabling/disabling them doesn't change anything.

2

Connections are randomly failing. When it fails, I see ICMP message:

ICMP host 174.113.7.175 unreachable

The issue may not necessarily with the system, but with the hosting provider. I suggest to contact them.

3 Likes
3

I also started wondering if it's Rogers so yeah, I think I'll take your advice and contact them. It will probably be an ordeal dealing with them so I should get the ball rolling.

I double-checked with MXToolbox ping and it mostly works but I did get a timeout. MXToolbox HTTP is more sketchy and fails sometimes, but less than consistently every other time. I'm still wondering why Let's Encrypt secondary validation fails 100% of the time while various tests are intermittent. I would think I would've squeaked a successful renewal in by now but it simply never works.

Anyway, I'll contact Rogers but if there are any other ideas please let me know.

Thanks!

1 Like
4

The '400' might be your nginx replying to the LE server with that http response.

You could check your nginx error log for more info.

Looking at your nginx access log could be interesting too. A successful challenge will have 4 or 5 identical URI from different origin IP. The primary LE center must succeed and (currently) at least 3 of 4 Secondary centers as well. Would be interesting to know how many arrived.

This likely wouldn't explain about timeouts or 'no route to host' though.

You might try power off/on your router. Rogers will ask you to do that as first step anyway :slight_smile:

4 Likes
5

The 400 isn't coming from my server as far as I can tell. There is nothing in the access or error logs about it. I'll drop some config and logs here, but when running with --webroot:

  • The challenge token is created in .well-known/acme-challenge under the webroot directory, and I'm able to curl it.
  • I see three successful 200 challenge hits from different IPs.
  • LE proceeds to try several times but fails.
  • Nothing appears in any nginx log and the certbot debug log doesn't show what exactly caused it to fail.

I've only deduced that it seems it's not at my end by the connection problems shown by the various external tests.

Yup, I've restarted everything including the kitchen sink and also updated pfSense 2.8.0 -> 2.8.1. I hesitate to upgrade Debian from 10 to 13 because I'm certain that will cause more problems than it will solve, and at the moment I highly doubt the OS is the problem. I know this will all be a pain point with Rogers because I need to break through their support script for noobs and get to some kind of final boss level of tech support, all after waiting on the phone for 78 minutes minimum multiple times because their chat bot is entirely useless....

Anyway, here is the last run:

$ certbot certonly --webroot -w /var/www/correct-directory -d escm.ca --dry-run --debug-challenges -v`
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Certificate not due for renewal, but simulating renewal for dry run
Simulating renewal of an existing certificate for escm.ca
Performing the following challenges:
http-01 challenge for escm.ca
Using the webroot path /var/www/escm.ca for all unmatched domains.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://escm.ca/.well-known/acme-challenge/OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578
Expected value:
OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578.5zYYyPRWLKsi41hf15YqUSuKIy6BLzUrpqsn9OH4wsQ
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

In another terminal and from a test site:

$ curl http://escm.ca/.well-known/acme-challenge/OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578
OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578.5zYYyPRWLKsi41hf15YqUSuKIy6BLzUrpqsn9OH4wsQ

Both tests inside and outside the LAN succeeded.

Nginx access log:

66.133.109.36 - - [25/Dec/2025:23:29:25 -0500] 200 http "GET /.well-known/acme-challenge/OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaA│
54.213.80.136 - - [25/Dec/2025:23:29:25 -0500] 200 http "GET /.well-known/acme-challenge/OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaA│
54.179.244.160 - - [25/Dec/2025:23:29:26 -0500] 200 http "GET /.well-known/acme-challenge/OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDa│

Nginx error log has nothing.

Certbot debug log:

2025-12-25 23:26:28,479:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2025-12-25 23:26:28,692:DEBUG:certbot._internal.main:certbot version: 5.2.2
2025-12-25 23:26:28,692:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/5234/bin/certbot
2025-12-25 23:26:28,692:DEBUG:certbot._internal.main:Arguments: ['--webroot', '-w', '/var/www/correct-directory', '-d', 'escm.ca', '--dry-run', '--debug-challenges', '-v', '--preconfigured-renewal']
2025-12-25 23:26:28,692:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2025-12-25 23:26:28,703:DEBUG:certbot._internal.log:Root logging level set at 20
2025-12-25 23:26:28,705:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2025-12-25 23:26:28,705:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A separate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='webroot', value='certbot._internal.plugins.webroot:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f15c8b4f2f0>
Prep: True
2025-12-25 23:26:28,705:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f15c8b4f2f0> and installer None
2025-12-25 23:26:28,706:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2025-12-25 23:26:28,774:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.bindings._rust.openssl.rsa.RSAPublicKey object at 0x7f15cb76c2b0>)>), contact=(), agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging.api.letsencrypt.org/acme/reg/5226607', new_authzr_uri='https://acme-staging.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 78a89c65512bd308463a5b770b7b57ac, Meta(creation_dt=datetime.datetime(2017, 12, 14, 5, 43, 49, tzinfo=datetime.timezone.utc), creation_host='Server.lan', register_to_eff=None))>
2025-12-25 23:26:28,775:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2025-12-25 23:26:28,778:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2025-12-25 23:26:29,111:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 1107
2025-12-25 23:26:29,111:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 26 Dec 2025 04:26:29 GMT
Content-Type: application/json
Content-Length: 1107
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "HXkpSVsMdV4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "profiles": {
      "classic": "https://letsencrypt.org/docs/profiles#classic",
      "shortlived": "https://letsencrypt.org/docs/profiles#shortlived",
      "tlsclient": "https://letsencrypt.org/docs/profiles#tlsclient",
      "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver"
    },
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.6-August-18-2025.pdf",
    "website": "https://letsencrypt.org/docs/staging-environment/"
  },
  "newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-staging-v02.api.letsencrypt.org/acme/renewal-info",
  "revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
2025-12-25 23:26:29,118:INFO:certbot._internal.renewal:Certificate not due for renewal, but simulating renewal for dry run
2025-12-25 23:26:29,119:DEBUG:certbot._internal.display.obj:Notifying user: Simulating renewal of an existing certificate for escm.ca
2025-12-25 23:26:29,122:DEBUG:acme.client:Requesting fresh nonce
2025-12-25 23:26:29,122:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2025-12-25 23:26:29,207:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2025-12-25 23:26:29,208:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 26 Dec 2025 04:26:29 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0t1BB3M7Ncl98oDDrW4BVmibUiZUswx_tIHyVOQVkIlzgz90Q2o
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2025-12-25 23:26:29,208:DEBUG:acme.client:Storing nonce: 0t1BB3M7Ncl98oDDrW4BVmibUiZUswx_tIHyVOQVkIlzgz90Q2o
2025-12-25 23:26:29,208:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "escm.ca"\n    }\n  ]\n}'
2025-12-25 23:26:29,211:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvNTIyNjYwNyIsICJub25jZSI6ICIwdDFCQjNNN05jbDk4b0REclc0QlZtaWJVaVpVc3d4X3RJSHlWT1FWa0lsemd6OTBRMm8iLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "fsYMqc95kajgDdLDo_0MOfI3jZjYTrnbIBBCTxzGqOer1n0mNZ8JOJitxoQPSAYqbTw0MDQ-U051BU2nL0tmV1Pa4gKyL0mfyoPbGVoiKkaEKkQt51-qkgybBu88ROhyG4ZleXH19tzVWnsB7EdHJrQGGqT31SquUXQ6JG_Db69YDFRjHM4q-xargh8jZQyZraEHSCof0m9_x2mHt_5nNY-jKoEahriKwO9x40PULp-OqEHYjvzuIBU3PbRCXTFodou7U1IbXoZ5TEPImtcp7ul_jC4-aiYwUqNMNe5Eho8ozrbAwyNbRX4JH0Wc8GbYJcfIdsvhD5m9mSv2us9wbQ",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImVzY20uY2EiCiAgICB9CiAgXQp9"
}
2025-12-25 23:26:29,310:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 349
2025-12-25 23:26:29,311:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Fri, 26 Dec 2025 04:26:29 GMT
Content-Type: application/json
Content-Length: 349
Connection: keep-alive
Boulder-Requester: 5226607
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/order/5226607/29896393603
Replay-Nonce: pyBD3s7Bia3a2gHE6ltEuVnDT41JOiD2RCbHIH0ad-b13Zb2aUM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2026-01-02T04:26:29Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "escm.ca"
    }
  ],
  "authorizations": [
    "https://acme-staging-v02.api.letsencrypt.org/acme/authz/5226607/20887468363"
  ],
  "finalize": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/5226607/29896393603"
}
2025-12-25 23:26:29,311:DEBUG:acme.client:Storing nonce: pyBD3s7Bia3a2gHE6ltEuVnDT41JOiD2RCbHIH0ad-b13Zb2aUM
2025-12-25 23:26:29,312:DEBUG:acme.client:JWS payload:
b''
2025-12-25 23:26:29,315:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/5226607/20887468363:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvNTIyNjYwNyIsICJub25jZSI6ICJweUJEM3M3QmlhM2EyZ0hFNmx0RXVWbkRUNDFKT2lEMlJDYkhJSDBhZC1iMTNaYjJhVU0iLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovNTIyNjYwNy8yMDg4NzQ2ODM2MyJ9",
  "signature": "GA_hMH1zxex4vNXEqWQCG-L-o0jihnKoARdNDUFtxstDjnGJdeDZFogRMe0IDq1yyVd9CF_8vQYpnfb7lYPA1R4-ZVH_1aYmQJd3LotHvL4kAY7m-cd6kXvu1S0tdYIvuROZVNa4-jG_3fl_l1XmNCHBJpSnD3vzU7gSXxZ4qlm6R6GpXsS8GZQPQoi5lH85Y6epv3x1Swb3B2kDstBmxixlWCVLHlUeLKpiO-lTOGKo9fvxqrh6EwVJtoemw6sxSDnmcCV4-BQglKrAtw5NGN-5-Ew_tjHx8M2AfelTi8wKPDIF76aPaDCb7VHkjIEwev50j9Z-LwAyOgZQdgFbzA",
  "payload": ""
}
2025-12-25 23:26:29,405:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/5226607/20887468363 HTTP/1.1" 200 827
2025-12-25 23:26:29,406:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 26 Dec 2025 04:26:29 GMT
Content-Type: application/json
Content-Length: 827
Connection: keep-alive
Boulder-Requester: 5226607
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: pyBD3s7Bz_xT3K8tMDFWJPxQ1UXIsHEO-HXHtnPA1d-qii6E6zU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ca"
  },
  "status": "pending",
  "expires": "2026-01-02T04:26:29Z",
  "challenges": [
    {
      "type": "dns-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/0h9bbg",
      "status": "pending",
      "token": "OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/tj0lyw",
      "status": "pending",
      "token": "OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578"
    },
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/6biihQ",
      "status": "pending",
      "token": "OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578"
    }
  ]
}
2025-12-25 23:26:29,406:DEBUG:acme.client:Storing nonce: pyBD3s7Bz_xT3K8tMDFWJPxQ1UXIsHEO-HXHtnPA1d-qii6E6zU
2025-12-25 23:26:29,406:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {'type': 'tls-alpn-01', 'url': 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/tj0lyw', 'status': 'pending', 'token': 'OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578'}
2025-12-25 23:26:29,407:INFO:certbot._internal.auth_handler:Performing the following challenges:
2025-12-25 23:26:29,407:INFO:certbot._internal.auth_handler:http-01 challenge for escm.ca
2025-12-25 23:26:29,408:INFO:certbot._internal.plugins.webroot:Using the webroot path /var/www/correct-directory for all unmatched domains.
2025-12-25 23:26:29,408:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/correct-directory/.well-known/acme-challenge
2025-12-25 23:26:29,410:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/correct-directory/.well-known/acme-challenge/OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578
2025-12-25 23:26:29,411:DEBUG:certbot._internal.display.obj:Notifying user: Challenges loaded. Press continue to submit to CA.

The following URLs should be accessible from the internet and return the value
mentioned:

URL:
http://escm.ca/.well-known/acme-challenge/OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578
Expected value:
OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578.5zYYyPRWLKsi41hf15YqUSuKIy6BLzUrpqsn9OH4wsQ
2025-12-25 23:29:24,918:DEBUG:acme.client:JWS payload:
b'{}'
2025-12-25 23:29:24,921:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/6biihQ:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvNTIyNjYwNyIsICJub25jZSI6ICJweUJEM3M3QnpfeFQzSzh0TURGV0pQeFExVVhJc0hFTy1IWEh0blBBMWQtcWlpNkU2elUiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGwvNTIyNjYwNy8yMDg4NzQ2ODM2My82YmlpaFEifQ",
  "signature": "th_fy6CM5J4X9QE52X7-I_NF1YDJYyq96PlJS76-gGLYi_pt3wk-jMqpWPUXdKmL_11EuiIHm-cDWQqZYFTeY49XffDElwI0JWg4XvIYNQv1hWXDKO7yBK3oZ6--tXuzqX8Rc3yGZfzQihrBRXeFbirzvM-9MtFuhbitB1Fs45S1DD4sXNViKrpKcY0U2kCJcnjhM9w9ua61YFpQ9zePQr76YcxpllVB_qxNZcMA-5ZmQ27FZFZ3W-TtjM48guUcYz_fw91xgCRebrzLCKbHeEyHOmc_ohUxt3Ein4lDFYJRGgoIm-hCkkWZhUdFljHa5RqcCrfFb6q_Tiium3Wnwg",
  "payload": "e30"
}
2025-12-25 23:29:25,021:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/chall/5226607/20887468363/6biihQ HTTP/1.1" 200 199
2025-12-25 23:29:25,021:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 26 Dec 2025 04:29:24 GMT
Content-Type: application/json
Content-Length: 199
Connection: keep-alive
Boulder-Requester: 5226607
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/authz/5226607/20887468363>;rel="up"
Location: https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/6biihQ
Replay-Nonce: 0t1BB3M7kiwFmYo1us5ToRM1iSAPeFgSxurup0BqmNYrK9dttOU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/6biihQ",
  "status": "pending",
  "token": "OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578"
}
2025-12-25 23:29:25,022:DEBUG:acme.client:Storing nonce: 0t1BB3M7kiwFmYo1us5ToRM1iSAPeFgSxurup0BqmNYrK9dttOU
2025-12-25 23:29:25,022:INFO:certbot._internal.auth_handler:Waiting for verification...
2025-12-25 23:29:26,022:DEBUG:acme.client:JWS payload:
b''
2025-12-25 23:29:26,024:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/5226607/20887468363:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvNTIyNjYwNyIsICJub25jZSI6ICIwdDFCQjNNN2tpd0ZtWW8xdXM1VG9STTFpU0FQZUZnU3h1cnVwMEJxbU5Zcks5ZHR0T1UiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovNTIyNjYwNy8yMDg4NzQ2ODM2MyJ9",
  "signature": "aHBJ6a6azfsImaeAEkz9cifEA6uY4c05K3s3FZUlD5XkCTPWP2wHDjpgGATUATfqvPJALFy0iPaEC0kf05GWsu4KcyEAazsDHfZrP7JdjAfsxV3b8nI4F8YJypd6OkaHvNOGCHqGtlXuqE-jY5Ud_qdFlDOY7VqVgYLRwpBLQvoQFP7NLx5WqUxqX3jHwMgJYdxnd5fsHTo8T1BkwB6JPw4dMyLttZ6Lxlu9LLP7dlRjZ4Fd1I-4fc7Px1eDu6iQ-uRnGFldFRYDJKPYDCCPhfrot4rMIBNUXr0nwEwt3C0njMyuDFMe_vrTIiUSCTE9QPpc68F1F_s_3MFUCdtR6w",
  "payload": ""
}
2025-12-25 23:29:26,203:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/5226607/20887468363 HTTP/1.1" 200 827
2025-12-25 23:29:26,203:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 26 Dec 2025 04:29:26 GMT
Content-Type: application/json
Content-Length: 827
Connection: keep-alive
Boulder-Requester: 5226607
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: pyBD3s7BhgTe3zntgJvp8CKcOH9R2cx4OR5FRpKvFveU-LxSr7M
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ca"
  },
  "status": "pending",
  "expires": "2026-01-02T04:26:29Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/6biihQ",
      "status": "pending",
      "token": "OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578"
    },
    {
      "type": "tls-alpn-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/tj0lyw",
      "status": "pending",
      "token": "OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578"
    },
    {
      "type": "dns-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/0h9bbg",
      "status": "pending",
      "token": "OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578"
    }
  ]
}
2025-12-25 23:29:26,204:DEBUG:acme.client:Storing nonce: pyBD3s7BhgTe3zntgJvp8CKcOH9R2cx4OR5FRpKvFveU-LxSr7M
2025-12-25 23:29:26,204:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {'type': 'tls-alpn-01', 'url': 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/tj0lyw', 'status': 'pending', 'token': 'OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578'}
2025-12-25 23:29:29,205:DEBUG:acme.client:JWS payload:
b''
2025-12-25 23:29:29,207:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/5226607/20887468363:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvNTIyNjYwNyIsICJub25jZSI6ICJweUJEM3M3QmhnVGUzem50Z0p2cDhDS2NPSDlSMmN4NE9SNUZScEt2RnZlVS1MeFNyN00iLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovNTIyNjYwNy8yMDg4NzQ2ODM2MyJ9",
  "signature": "oiubCE58hMsspCkGIFk08CHnTFKWJRdst1duXDMknsj8S4rW1OVO57eoJzN331l9ejuUgcQLNnbd7YGUJwA5zG6AlKM2MI3YlurEOZKEt9PQfI7AMeIaaYvtQfy6-2SW7zXBTcWh87zcTIl9dZ56XqQOe-gbrP4Td6vv9jIa9MruDj-XpzG2-bTwMyVvPwTa1Het8SedDJuDzQqGb-iTtuq8h4mB9MMh5PLOU8U5sUbBxFl0R_731CKTmBcwbrhgQ9hG4jAhDW14qim8vD-YVhw-hoNqGcjQOMtikHoi_KX3KkVwp89eWdfXV2JxKHneniVigHmb5496jHYYXgm3PQ",
  "payload": ""
}
2025-12-25 23:29:29,313:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/5226607/20887468363 HTTP/1.1" 200 827
2025-12-25 23:29:29,314:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 26 Dec 2025 04:29:29 GMT
Content-Type: application/json
Content-Length: 827
Connection: keep-alive
Boulder-Requester: 5226607
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: pyBD3s7B1NUh5bGDu4er5yKFpus2yvhMpKbOthdbaGbl4H9p4Ko
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ca"
  },
  "status": "pending",
  "expires": "2026-01-02T04:26:29Z",
  "challenges": [
    {
      "type": "tls-alpn-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/tj0lyw",
      "status": "pending",
      "token": "OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578"
    },
    {
      "type": "dns-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/0h9bbg",
      "status": "pending",
      "token": "OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578"
    },
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/6biihQ",
      "status": "pending",
      "token": "OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578"
    }
  ]
}
2025-12-25 23:29:29,314:DEBUG:acme.client:Storing nonce: pyBD3s7B1NUh5bGDu4er5yKFpus2yvhMpKbOthdbaGbl4H9p4Ko
2025-12-25 23:29:29,314:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {'type': 'tls-alpn-01', 'url': 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/tj0lyw', 'status': 'pending', 'token': 'OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578'}
2025-12-25 23:29:32,315:DEBUG:acme.client:JWS payload:
b''
2025-12-25 23:29:32,317:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/5226607/20887468363:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvNTIyNjYwNyIsICJub25jZSI6ICJweUJEM3M3QjFOVWg1YkdEdTRlcjV5S0ZwdXMyeXZoTXBLYk90aGRiYUdibDRIOXA0S28iLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovNTIyNjYwNy8yMDg4NzQ2ODM2MyJ9",
  "signature": "1NJ1Nif53Aax3SIAG2s3foNfCWJcsIk_immrlqs4uMqvDUzHyPou0CtCZkz_GurUJlLVFX2ZI2mP3Ksf1bwk5jw6AasjDOV2VDh4o34ct1RVkvZZcVvgZ-vro-lXt2o4tNXIP822iBfsQ2sZop2nNVGUqNFHySELZp71Jil24SFBbvJTHmUL3XUZ2Wpre_wUywAdVh2vbui_WNROlZ6u2VYULLA-PkMVGhoqWKO3SvadqlpQZktTp2QIJMBLBElC3CA9jKS4M9k6ymJLQrFIMLP_kgamC-ft_d3znjhjHhcLb48pfSrnzr4gfBZOEmSmKXkI0sfrR2YqPEGZiShrhA",
  "payload": ""
}
2025-12-25 23:29:32,421:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/5226607/20887468363 HTTP/1.1" 200 1048
2025-12-25 23:29:32,421:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 26 Dec 2025 04:29:32 GMT
Content-Type: application/json
Content-Length: 1048
Connection: keep-alive
Boulder-Requester: 5226607
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0t1BB3M7Gdmxn_8rRjjqplJLIbo8mgsDgMnZJKn56A1ZYWIVd4g
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "escm.ca"
  },
  "status": "invalid",
  "expires": "2026-01-02T04:26:29Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall/5226607/20887468363/6biihQ",
      "status": "invalid",
      "validated": "2025-12-26T04:29:24Z",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "During secondary validation: 174.113.7.175: Fetching http://escm.ca/.well-known/acme-challenge/OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578: Error getting validation data",
        "status": 400
      },
      "token": "OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578",
      "validationRecord": [
        {
          "url": "http://escm.ca/.well-known/acme-challenge/OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578",
          "hostname": "escm.ca",
          "port": "80",
          "addressesResolved": [
            "174.113.7.175"
          ],
          "addressUsed": "174.113.7.175"
        }
      ]
    }
  ]
}
2025-12-25 23:29:32,422:DEBUG:acme.client:Storing nonce: 0t1BB3M7Gdmxn_8rRjjqplJLIbo8mgsDgMnZJKn56A1ZYWIVd4g
2025-12-25 23:29:32,422:INFO:certbot._internal.auth_handler:Challenge failed for domain escm.ca
2025-12-25 23:29:32,422:INFO:certbot._internal.auth_handler:http-01 challenge for escm.ca
2025-12-25 23:29:32,423:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: escm.ca
  Type:   connection
  Detail: During secondary validation: 174.113.7.175: Fetching http://escm.ca/.well-known/acme-challenge/OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2025-12-25 23:29:32,424:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/snap/certbot/5234/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 104, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/5234/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 208, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-12-25 23:29:32,424:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-12-25 23:29:32,424:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-12-25 23:29:32,424:DEBUG:certbot._internal.plugins.webroot:Removing /var/www/correct-directory/.well-known/acme-challenge/OBARrlwvXQDDnUW02UWM_wLjTylGYzLpwDaAWWda578
2025-12-25 23:29:32,425:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2025-12-25 23:29:32,425:INFO:certbot.compat.misc:Running post-hook command: /etc/letsencrypt/renewal-hooks/post/002-sync-mail-certs
2025-12-25 23:29:32,979:DEBUG:certbot._internal.display.obj:Notifying user: Hook 'post-hook' ran with output:
 sending incremental file list
 etc/
 etc/letsencrypt/

 sent 3,149 bytes  received 28 bytes  6,354.00 bytes/sec
 total size is 195,903  speedup is 61.66
2025-12-25 23:29:32,980:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/5234/bin/certbot", line 7, in <module>
    sys.exit(main())
             ^^^^^^
  File "/snap/certbot/5234/lib/python3.12/site-packages/certbot/main.py", line 18, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5234/lib/python3.12/site-packages/certbot/_internal/main.py", line 1876, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5234/lib/python3.12/site-packages/certbot/_internal/main.py", line 1588, in certonly
    lineage = _get_and_save_cert(le_client, config, sans, certname, lineage)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5234/lib/python3.12/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, sans, le_client, lineage)
  File "/snap/certbot/5234/lib/python3.12/site-packages/certbot/_internal/renewal.py", line 564, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(sans, new_key)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5234/lib/python3.12/site-packages/certbot/_internal/client.py", line 432, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5234/lib/python3.12/site-packages/certbot/_internal/client.py", line 510, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/5234/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 104, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/snap/certbot/5234/lib/python3.12/site-packages/certbot/_internal/auth_handler.py", line 208, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2025-12-25 23:29:32,983:ERROR:certbot._internal.log:Some challenges have failed.
6

Thanks for all that info.

Does your router or pfSense firewall have any kind of "smart" protection against DoS attacks? Or maybe your ISP even does that? Sometimes these suppress repeated identical requests coming from different locations. And, can sometimes produce erratic results depending on the timing of the incoming requests.

It does not look like a more common geographic based firewall. The IP that came through on that test were the primary and one US Secondary and one non-US Secondary. Missing are another US and another non-US.

2 Likes
7

I've only ever set up static firewall rules, and I do have some IP blocking but they are all disabled now. There is (or should be) no other special filtering or anything adaptive. Just a NAT gateway doing IPv4 and I don't have IPv6 set up. I did upgrade pfSense from 2.7 to 2.8 some time a while ago when everything was working, so while I doubt it, I can check if something changed or was enabled that I wasn't aware of. This otherwise doesn't seem to be geographical, but like some sort of "smart" filtering like you mentioned, or maybe a nearby router malfunctioning. If it's not me, I suspect the Rogers network neighbourhood since this forum isn't flooded with the rest of the world having this kind of problem. I still wonder why it's mostly intermittent except certain LE connections that always fail. I've also done a few normal and TCP traceroute tests and I haven't seen one fail yet.

Thanks for the info though. Are the LE IPs that are failing top secret? They might help in figuring this out. I wonder what a traceroute from one of those would look like.

I guess another question: is there another way to renew my certificates in the meantime? I can manually add a DNS TXT record with a token or "Hi mom" or whatever.

8

Yes

2 Likes
9

Awesome, that's exactly what I was thinking. I probably should've found it with a bit of RTFM, but thanks! I was able to manually renew my mail certificate, so that's my biggest concern out of the way. I can relax a bit while sorting out the original problem...

11
2 Likes
12

they are using Multi-Perspective for Validation. so if you eg. block none US Traffic, the check from EU will fail.

Other CAs do the same as they have to follow Baseline Requirements of CA/B Forum

relevant section is 3.2.2.9

3 Likes
13

Well, we don't know that certain LE "connections" always fail. We only know that no LE validation has succeeded. As I've noted, there are 5 challenge requests for each cert request (today, maybe different in future).

You'd have to check the IP that arrive on each request. Then use a locator service for that IP to know their origin location.

Once the LE Primary center succeeds all the Secondary are dispatched asynchronously. If there is a DoS type firewall setting you may see different Secondary centers failing due to race conditions and/or network performance. That is, the first two Secondary to arrive work but the next two are blocked by the DoS setting.

We have seen such settings in routers so do check that. Maybe your ISP has a new setting in your overall account that "protects" you from such attacks (patterns).

But, the test from https://check-host.net/check-http?host=escm.ca fails erratically as well and those requests are for your "home" page.

This could be because of the same race / network performance issues as I just described. And, the first couple succeed, then one or more are blocked then a couple more are let through and so on. This intermittent connectivity problem definitely affects more than just LE.

These are not single static IP for the 5 different centers. These are server farms whose IP rotate regularly. LE does not publish them. I don't see how knowing these would help this particular problem especially given the check-host-net test results.

A single traceroute may work just fine. It looks like multiple simultaneous requests are the problem. Just fyi, the secondary centers are (today) all AWS based centers. Not likely a network routing problem from that side. If it is an ISP routing problem (and I don't think that is most likely) they can check incoming requests to your IP on their own. I appreciate how difficult that is with a residential ISP but even if LE staff ran such a test and even if it showed a problem I doubt it would mean anything to them :slight_smile:

3 Likes
14

All that network talk aside ... if you can't easily find the reason for those failures an automated DNS Challenge is probably a quicker path to success. One fairly easy way is to change your DNS to use a vendor like Cloudflare (free) rather than your Namecheap DNS servers. Then use the Certbot provided support for Cloudflare to automate that challenge. You don't have to change your registrar just the DNS servers.

That assumes you are happy with the connectivity as it is and the check-host-net tests won't indicate a problem with other people connecting to you.

Or, use a different ACME Client like lego which has automated support for Namecheap DNS built in. Although, I vaguely recall that not every Namecheap account allows API access. You'd have to check that. See: Installation :: Let’s Encrypt client and ACME library written in Go.

4 Likes
15

@Zyloq @hebbet @MikeMcQ Thanks for all the great info. I guess yes, maybe certain specific LE challenge connections don't always fail if the problem is dynamic in nature, but something is not allowing some of them through to my server and it happens on every renewal attempt. Maybe there is a combination of geographic blocking that's messing with LE challenges (but why AWS?) and dynamic DoS filtering (For My Protection) is causing other intermittent connection dropping, but at the end of the day, who knows. It's not me though. I checked pfSense and don't see anything that might cause this, and the web server isn't denying HTTP requests, throwing errors, or acting weird. It's simply not getting some connections, as shown by Let's Debug, various other tests, and my server logs.

The reason I wondered about traceroute from one of the failing challenge servers or locations is it might show where connections are being dropped and help narrow down where the problem lies. I'm just wondering and doubt LE is the problem but I won't complain if they want to help play detective lol. ICMP appears to be working though.
https://check-host.net/check-ping?host=escm.ca
Despite the Sysadmin's Haiku, it's not DNS. It has the right IP address all over the place and a manual DNS challenge renewal worked.
https://check-host.net/check-dns?host=escm.ca
TCP connections are a problem though.
https://check-host.net/check-tcp?host=escm.ca
But when connections get through, HTTP works (I've re-enabled HTTPS and 301 is redirecting to that).
https://check-host.net/check-http?host=escm.ca

195.154.114.92 - - [28/Dec/2025:08:42:19 -0500] 301 http "GET / HTTP/1.1" 162 "https://check-host.net/check-report/35aee1c1kc│
185.224.3.111 - - [28/Dec/2025:08:42:19 -0500] 301 http "GET / HTTP/1.1" 162 "https://check-host.net/check-report/35aee1c1kc9│
195.211.27.85 - - [28/Dec/2025:08:42:19 -0500] 301 http "GET / HTTP/1.1" 162 "https://check-host.net/check-report/35aee1c1kc9│
etc, with no failures or errors...

Given all this, I think I need to bite the bullet and call the ISP as a first point of contact and see if they know what's going on. I'm otherwise not sure who else might know or if I can even contact them.

@MikeMcQ Thanks for the pointers to alternatives. I'm just some guy with personal web and mail servers and while I'm not thrilled with network filtering or problems like this, I'm not running a business and need high availability from every corner of the world. I can set up a DNS solution if this is an unsolvable problem but I prefer to not have the problem in the first place. I think I'll set up DNS anyway because a fallback from HTTP would be good. So that's good stuff to know...

Anyway, appreciate all the help!

2 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.