Renew/Request failing randomly [CRITICAL]

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: m2start.com

I ran this command

It produced this output:
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to acme-v02.api.letsencrypt.org:443
Nonce is empty. Exiting. dig output of acme-v02.api.letsencrypt.org:
prod.api.letsencrypt.org.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
172.65.32.248
Full nonce request output:

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Debian Buster

My hosting provider, if applicable, is: Myself

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Latest Directadmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Handled by directadmin

The problem is that the error message changes with each attempt.

Within the last 4h I’ve gotten:

• Connection reset by peer during the first query ( “Requesting new certificate order…”)
• Connection reset by peer after 1-5 “challenge is valid” messages. (request contains 21 DNS names)

I’ve tried updating LE, using another IP to query.
Ping is stable to 172.65.32.248
Tcpdump shows, that our server is waiting for an answer from 172.65.32.248, but it gets closed.

Note: Definitely not a directadmin issue. Another setup (identical) works fine… So is our IP blocked or what’s the deal?

Hi @ShadowofReason

what says

traceroute acme-v02.api.letsencrypt.org

ping acme-v02.api.letsencrypt.org

Play with the ping size parameter, sometimes reducing the MTU helps. Ping has some parameters to check that (don’t fragment).

Traceroute says:

traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 185.158.177.113 (185.158.177.113) 0.203 ms 0.168 ms 0.326 ms
2 taltele-p1.elisa.ee (194.204.15.221) 0.455 ms 0.535 ms 0.530 ms
3 213.192.184.225 (213.192.184.225) 0.889 ms 0.885 ms 0.654 ms
4 213.192.186.46 (213.192.186.46) 1.600 ms 1.715 ms 1.690 ms
5 162.158.236.254 (162.158.236.254) 2.760 ms 2.727 ms 2.692 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

Sent size 5000 packets

ping -s 5000 acme-v02.api.letsencrypt.org
PING acme-v02.api.letsencrypt.org (172.65.32.248) 5000(5028) bytes of data.
5008 bytes from acme-v02.api.letsencrypt.org (172.65.32.248): icmp_seq=1 ttl=59 time=1.94 ms
5008 bytes from acme-v02.api.letsencrypt.org (172.65.32.248): icmp_seq=2 ttl=59 time=2.04 ms
5008 bytes from acme-v02.api.letsencrypt.org (172.65.32.248): icmp_seq=3 ttl=59 time=1.93 ms
5008 bytes from acme-v02.api.letsencrypt.org (172.65.32.248): icmp_seq=4 ttl=59 time=1.90 ms
5008 bytes from acme-v02.api.letsencrypt.org (172.65.32.248): icmp_seq=5 ttl=59 time=2.04 ms
5008 bytes from acme-v02.api.letsencrypt.org (172.65.32.248): icmp_seq=6 ttl=59 time=1.93 ms

well this is odd.
Right now, all cert requests are coming back as “successful”, but we’ve changed nothing, but for the past 48h I wasn’t able to get any certificates.

Were LE servers overloaded around 2-5PM (GMT +2) ?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.