Recently encountered errors renewing on an HAProxy server using Standalone method with Certbot

My domain is:
I ran this command:
certbot -v certonly --standalone --cert-name -d --non-interactive --agree-tos --email --http-01-address > /tmp/certbot-helpdesk.log

It produced this output:

2022-05-03 18:00:23,793:DEBUG:urllib3.connectionpool:http://localhost:None "GET http://snapd/v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-05-03 18:00:24,449:DEBUG:certbot._internal.main:certbot version: 1.26.0
2022-05-03 18:00:24,450:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1952/bin/certbot
2022-05-03 18:00:24,450:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-05-03 18:00:24,464:DEBUG:certbot._internal.log:Root logging level set at 20
2022-05-03 18:00:24,465:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2022-05-03 18:00:24,469:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7f7cbdf89ac0>
Prep: True
2022-05-03 18:00:24,469:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x7f7cbdf89ac0> and installer None
2022-05-03 18:00:24,470:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2022-05-03 18:00:24,478:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='', new_authzr_uri=None, terms_of_service=None), 558912c4ab5f571a06a39937466e0f24, Meta(creation_dt=datetime.datetime(2018, 12, 10, 16, 42, 12, tzinfo=), creation_host='', register_to_eff=None))>
2022-05-03 18:00:24,479:DEBUG:acme.client:Sending GET request to
2022-05-03 18:00:24,481:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1):
2022-05-03 18:00:24,723:DEBUG:urllib3.connectionpool: "GET /directory HTTP/1.1" 200 658
2022-05-03 18:00:24,724:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 04 May 2022 00:00:25 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

"keyChange": "",
"meta": {
"caaIdentities": [
"termsOfService": "",
"website": ""
"newAccount": "",
"newNonce": "",
"newOrder": "",
"oLgQNQ6xTes": "Adding random entries to the directory",
"revokeCert": ""
2022-05-03 18:00:24,745:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1):
2022-05-03 18:00:24,786:DEBUG:urllib3.connectionpool: "POST HTTP/1.1" 200 503
2022-05-03 18:00:24,788:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/ is signed by the certificate's issuer.
2022-05-03 18:00:24,788:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/ is: OCSPCertStatus.GOOD
2022-05-03 18:00:24, renew, less than 30 days before certificate expiry 2022-05-22 09:03:18 UTC.
2022-05-03 18:00:24,793:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2022-05-03 18:00:24,793:DEBUG:certbot._internal.display.obj:Notifying user: Renewing an existing certificate for
2022-05-03 18:00:25,183:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0552_key-certbot.pem
2022-05-03 18:00:25,194:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0552_csr-certbot.pem
2022-05-03 18:00:25,195:DEBUG:acme.client:Requesting fresh nonce
2022-05-03 18:00:25,195:DEBUG:acme.client:Sending HEAD request to
2022-05-03 18:00:25,288:DEBUG:urllib3.connectionpool: "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-05-03 18:00:25,288:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Wed, 04 May 2022 00:00:25 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: 0002Ec9hmqhM47SGI69_K5ZUnDXx32FqwlbB7MQFdOQDgMk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2022-05-03 18:00:25,288:DEBUG:acme.client:Storing nonce: 0002Ec9hmqhM47SGI69_K5ZUnDXx32FqwlbB7MQFdOQDgMk
2022-05-03 18:00:25,289:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": ""\n }\n ]\n}'
2022-05-03 18:00:25,291:DEBUG:acme.client:Sending POST request to

2022-05-03 18:00:25,507:INFO:certbot._internal.auth_handler:Performing the following challenges:
2022-05-03 18:00:25,507:INFO:certbot._internal.auth_handler:http-01 challenge for
2022-05-03 18:00:25,507:DEBUG:acme.standalone:Failed to bind to using IPv6
2022-05-03 18:00:25,509:DEBUG:acme.standalone:Successfully bound to using IPv4
2022-05-03 18:00:25,511:DEBUG:acme.client:JWS payload:
2022-05-03 18:00:25,513:DEBUG:acme.client:Sending POST request to",
"hostname": "",
"port": "80",
"addressesResolved": [
"addressUsed": ""
"validated": "2022-05-04T00:00:26Z"
2022-05-03 18:00:26,694:DEBUG:acme.client:Storing nonce: 00028mhBxyzRO15_klBdOl57LASmIwxgJM6K4qTE4BVSry0
2022-05-03 18:00:26,695:INFO:certbot._internal.auth_handler:Challenge failed for domain
2022-05-03 18:00:26,695:INFO:certbot._internal.auth_handler:http-01 challenge for
2022-05-03 18:00:26,695:DEBUG:certbot._internal.display.obj:Notifying user:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Type: unauthorized
Detail: Invalid response from 503

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

2022-05-03 18:00:26,696:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-05-03 18:00:26,696:DEBUG:certbot._internal.error_handler:Calling registered functions
2022-05-03 18:00:26,696:INFO:certbot._internal.auth_handler:Cleaning up challenges
2022-05-03 18:00:26,697:DEBUG:certbot._internal.plugins.standalone:Stopping server at
2022-05-03 18:00:27,018:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/1952/bin/certbot", line 8, in
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/", line 1723, in main
return config.func(config, plugins)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/", line 1582, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/", line 129, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/", line 344, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/", line 441, in obtain_certificate
orderr = self._get_order_and_authorizations(, self.config.allow_subset_of_names)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/", line 493, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/", line 106, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/snap/certbot/1952/lib/python3.8/site-packages/certbot/_internal/", line 206, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2022-05-03 18:00:27,021:ERROR:certbot._internal.log:Some challenges have failed.

My web server is (include version):
HAProxy load balancer (2.2.22)

The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

This has been working fine until just recently. Searches on the error haven't yielded much.

Thanks for all you do - any leads or help greatly appreciated!


Hi @foremaster, and welcome to the LE community forum :slight_smile:

Just to clarify, please show which certs are already being handled by certbot on that system, with:
certbot certificates


Thank you! Never had to bother you folks until now! Hoping it isn't some dumb error I (probably) made.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name:
Serial Number: 34f19b01672e41bab3afac58ecde1a12c47
Key Type: RSA
Expiry Date: 2022-05-22 09:03:18+00:00 (VALID: 18 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/
Certificate Name:
Serial Number: 4f733c6744cd5d431ea5d1b0ba3ce80b280
Key Type: RSA
Expiry Date: 2022-05-14 09:03:27+00:00 (VALID: 10 days)
Certificate Path: /etc/letsencrypt/live/
Private Key Path: /etc/letsencrypt/live/


I see that

And yet I see this (now):

curl -Ii
HTTP/1.1 302 Found
content-length: 0
cache-control: no-cache

Which implies that even when certbot isn't running a webserver (in --standalone mode), there is still a webserver that responds to that name/IP.


This looks like a Palo Alto firewall problem:

curl -I
HTTP/1.1 503 Service Unavailable
Content-Type: text/html; charset=UTF-8
Content-Length: 930
Connection: close
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

Introduced recently with one of their updates.


See: Renewal failure: "Connection reset by peer" - Help - Let's Encrypt Community Support (


Thank you! Yes, it is a service that sits behind a floating IP at on the haproxy server. We have a script that kills haproxy, then runs the renew script and fires up the standalone service on port 80. It has been auto-renewing for at least a couple of years now using a cron job that calls certbot with that original command. I can do some more digging tomorrow - thanks so much for the prompt reply. We recently re-signed our ZSK, KSK, et. al. for DNSSEC and upgraded from RSA256 which they list as deprecated to the newer ECDSA algorithm. We wondered if that might be it, but one of our other servers which was upgraded is working fine. I will check with firewall guys too- just saw your reply.


Start with the FW guys.
PA is now interfering with inbound HTTP connections of type "acme-protocol".
[unless explicitly allowed]


Thanks! In process; I will update here the second I have resolution. Thanks for all the work you guys do. I'm sure it is often a thankless job.


That is the job description LOL


I agree. Looks more like this one though. @foremaster Your responses are identical with 301 and 503 and the P3P response header. Look a couple posts in the thread after this for a Palo Alto article that might also be the cause.


Thank you folks! It was firewall. I've marked rg305's comment as the solution. Thanks so much!


That's great. Can you provide any more details? Like was it Palo Alto brand and where was the setting you changed?

I ask because we've already had a couple very much like yours (503 and P3P) and it helps when advising others. Thanks


Yes! Thanks again @rg305 and @MikeMcQ I will post details from the security team this afternoon.


Additional info from FW guys:
We are running a Palo Alto firewall. Adding the acme-protocol application to the security policy fixed the issue.


Thanks. And thanks to your FW guys too.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.