Have renewed certificate fine for years but now i can't renew it

MikeMcQ · January 31, 2023, 5:32pm

@jlgm You are almost certainly affected by a Palo Alto brand firewall. You have the same symptoms as we often saw earlier in 2022. See (this link) for more info

You should talk to your network admins and have them change the Application Rule for "ACME protocol".

The tests described by my link above for your domain are this:

(test gets expected 404 with test file)
curl -I http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx

(test fails when using a user-agent the same as Let's Encrypt servers)
curl -I http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer

petercooperjr · January 31, 2023, 5:34pm

Here's the semi-official thread describing the problem:

Bruce5051 · January 31, 2023, 5:37pm

And still seeing those same results:

$ curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
curl: (56) Recv failure: Connection reset by peer

$ curl -Ii http://w3.dmat.ufrr.br/.well-known/acme-challenge/sometestfile
HTTP/1.1 404 Not Found
Server: nginx
Date: Tue, 31 Jan 2023 17:34:50 GMT
Content-Type: text/html
Content-Length: 313
Connection: keep-alive
Keep-Alive: timeout=65
Vary: Accept-Encoding
ETag: "63d83359-139"
Strict-Transport-Security: max-age=31536000; includeSubDomains

jlgm · February 4, 2023, 3:09pm

Hi guys !!

Renewal done Ok !!

The delay was due to feedback of firewall's admin. Don't know if there is a palo alto fw, but it was a firewall problem indeed.

Thanks a lot for your help.

JL

PS: BTW, change challenge to dns has some improvement, is it an easy procedure ?? TKS

jlgm · February 4, 2023, 3:10pm

I am still without that answer to you about GeoLocation issue, @Bruce5051... Sorry !

Bruce5051 · February 4, 2023, 5:32pm

Give that

I don't think the GeoLocation is presently of significance. Thanks!

rg305 · February 4, 2023, 7:39pm

It can be easy.
But it can also be impossible [to automate].
It depends mostly on the DSP [DNS Service Provider] in use and then also your willingness to meet whatever requirements remain unmet.

Bruce5051 · February 4, 2023, 8:18pm

Check here for DNS providers who easily integrate with Let's Encrypt DNS validation

system · March 6, 2023, 8:18pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.