Renewal failing in secondary

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: wacs.exe

It produced this output:

“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “During secondary validation: Fetching Timeout during connect (likely firewall problem)”,
“status”: 400

My web server is (include version): Apache (Xampp)

The operating system my web server runs on is (include version): Windows Version 10.0.18363.720

My hosting provider, if applicable, is: local ISP with Cox as provider

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): wacs.exe

Port 80 is open
The primary validation looks good
Most times, of the secondary validation, the first two are successful and can be seen in access.log

My local ISP indicates they do not block traffic of this type.
I suspect my ISP’s provider has blacked-listed some AWS traffic.

1 Like

Is there an inline IPS?
Is there any local software that inspects HTTP?

If so, check those logs for drops/blocks.
[or try temporarily bypassing them]

1 Like

Here are the log entries showing primary and first two secondary: - - [05/Apr/2020:09:23:06 -0500] “GET /.well-known/acme-challenge/xiNgHuqggqsBSJ5zaFosqn41PDfK8hJrjL06u07iiyk HTTP/1.1” 302 373 “-” “-” - - [05/Apr/2020:09:23:06 -0500] “GET /.well-known/acme-challenge/xiNgHuqggqsBSJ5zaFosqn41PDfK8hJrjL06u07iiyk HTTP/1.1” 302 373 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +” - - [05/Apr/2020:09:23:07 -0500] “GET /.well-known/acme-challenge/xiNgHuqggqsBSJ5zaFosqn41PDfK8hJrjL06u07iiyk HTTP/1.1” 302 373 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +”

I have added the file back to the /well-known/acme-challenge directory so you can test


No software inspecting HTTP

1 Like

HTTP error 302 means it moved.

Your “test” is an XML file.
That is probably not a good test.
Try a similar file type and name.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.