Problem renewing cert

I am trying to renew certs for this server, which are now expired. I've never run into this issue manually renewing before (but was never able to get it to auto-renew). Any assistance is greatly appreciated!

My domain is:

I ran this command: sudo /usr/bin/certbot --apache -d

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
** Domain:**
** Type: connection**
** Detail: Fetching Connection reset by peer**

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Apache/2.4.25

The operating system my web server runs on is (include version): Debian 9

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.27.0

Is there a Palo Alto firewall in front of your server?

If so, you need to allow the acme-protocol rule.

1 Like

Yes, there is. Where do I make this change on the Palo? Is this something that would've changed just in the last few months?

I have no idea.

Yes, before they introduced this acme validations counted as normal web browsing. Now they get identified as their own category.

It created a lot of head-scratching on the forum.

1 Like

Interesting. I will poke around and see what I can find. Thanks for the quick reply!


Check here for a description:


If you do find any explanation by PA, please post their link.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.