Remote PerformValidation RPC failed

hiteshV · June 1, 2023, 9:41am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: lendercore.rupeek.co

I ran this command: /usr/bin/certbot renew --renew-hook "/usr/local/bin/renew.sh".
We've created a script which check every hour and renews the SSL if its gonna expire.

It produced this output:
"IMPORTANT NOTES:
** - The following errors were reported by the server:**

** Domain: lendercore.rupeek.co**
** Type: connection**
** Detail: 15.206.120.231: Fetching**
** http://lendercore.rupeek.co/.well-known/acme-challenge/j6W6JJLjOzs5ptsVDy8wHnlG4xKUnQO56bzL1LYwCyU:**
** Connection refused**

** To fix these errors, please make sure that your domain name was**
** entered correctly and the DNS A/AAAA record(s) for that domain**
** contain(s) the right IP address. Additionally, please check that**
** your computer has a publicly routable IP address and that no**
** firewalls are preventing the server from communicating with the**
** client. If you're using the webroot plugin, you should also verify**
** that you are serving files from the webroot path you provided.**
** - The following errors were reported by the server:**

** Domain: lendercore.rupeek.co**
** Type: serverInternal**
** Detail: During secondary validation: Remote PerformValidation RPC**
** failed**

** Unfortunately, an error on the ACME server prevented you from**
** completing authorization. Please try again later.**
** - The following errors were reported by the server:**

** Domain: lendercore.rupeek.co**
** Type: serverInternal**
** Detail: During secondary validation: Remote PerformValidation RPC**
** failed**

** Unfortunately, an error on the ACME server prevented you from**
** completing authorization. Please try again later."**

My web server is (include version): HA-Proxy version 1.8.8-1ubuntu0.13

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: AWS Route 53

I can login to a root shell on my machine (yes or no, or I don't know): Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

webprofusion · June 1, 2023, 10:06am

Your website is currently not answering http requests on TCP port 80. If you are using any geographic or IP range filtering through software or a firewall you may need to remove that allow validation requests through:

hiteshV · June 1, 2023, 10:42am

Hi,
We manually renewed the SSL using same script which cron runs every hour.
Also wanted to know why the "http://lendercore.rupeek.co/.well-known/acme-challenge/*********** " is required for the connection establishment.

PS: Our HAProxy is configured to run on another Port no.

webprofusion · June 1, 2023, 10:47am

Validation of your domain via http is required in order to prove you control the domain. You can redirect to https but you must respond on http (TCP port 80) first. Open your firewall port and make sure it's forwarding traffic to the correct internal server.

hiteshV · June 1, 2023, 10:59am

Hi,
Port number 80 is already opened and there is no service running on 80.
Also we're renewing the SSL and not creating. Can u let us know why authentication is required for renewing.

MikeMcQ · June 1, 2023, 1:42pm

The Let's Encrypt HTTP Challenge makes an HTTP request so you must process it when it arrives. You must have been doing this before to get your original cert. Right now nothing is processing HTTP requests

If you can't use the HTTP Challenge anymore you could try using DNS Challenge. See the Certbot docs for the Route53 plug-in.

Every cert requires authentication even if a renewal. A successful authentication may be cached for 30 days but renewals after 30 days need to re-authenticate. And, no, you can't just keep renewing every 29 days to "cheat". Your first renew after 29 days might work but renewing again 58 days after original authentication needs a fresh auth.

Osiris · June 1, 2023, 4:35pm

Not directly related to the validation error, but why would you script something that Certbot does by itself?

Is it renew.sh that's doing the checking? Because if so, that would be quite weird to use as a --renew-hook. I'm very, very puzzled about your setup. Maybe it all makes sense and I just don't understand your setup, maybe it's a very unusual setup, I dunno. Can you perhaps clarify?

hiteshV · June 2, 2023, 6:07am

Hi Osiris,
Yes, renew.sh is the script which is doing the SSL checkup which runs as a cron every hour.
This is an old setup done by our previous colleague couple of years ago.

Osiris · June 2, 2023, 10:19am

I still don't understand. If renew.sh is run as a script from the cronjob, why is it also used as a --renew-hook?

And why not just run certbot renew from the cronjob? What's the added function of renew.sh?

system · July 2, 2023, 10:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.