Renewal of certificates failed on standalone

this is an renewal, so i know that the ip is reachable from outside, it just seems like the standalone server is not spinning up or similar? it used to work

# OUTPUT FROM RENEW
root@haproxy:~# certbot renew --cert-name DOMAIN OMITTED
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/DOMAIN OMITTED.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for DOMAIN OMITTED
----------------------------------------
Exception happened during processing of request from ('::ffff:64.78.149.164', 37300, 0, 0)
Traceback (most recent call last):
  File "/snap/certbot/2133/usr/lib/python3.8/socketserver.py", line 316, in _handle_request_noblock
    self.process_request(request, client_address)
  File "/snap/certbot/2133/usr/lib/python3.8/socketserver.py", line 347, in process_request
    self.finish_request(request, client_address)
  File "/snap/certbot/2133/usr/lib/python3.8/socketserver.py", line 360, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/snap/certbot/2133/lib/python3.8/site-packages/acme/standalone.py", line 232, in __init__
    super().__init__(*args, **kwargs)
  File "/snap/certbot/2133/usr/lib/python3.8/socketserver.py", line 747, in __init__
    self.handle()
  File "/snap/certbot/2133/lib/python3.8/site-packages/acme/standalone.py", line 257, in handle
    BaseHTTPServer.BaseHTTPRequestHandler.handle(self)
  File "/snap/certbot/2133/usr/lib/python3.8/http/server.py", line 427, in handle
    self.handle_one_request()
  File "/snap/certbot/2133/usr/lib/python3.8/http/server.py", line 395, in handle_one_request
    self.raw_requestline = self.rfile.readline(65537)
  File "/snap/certbot/2133/usr/lib/python3.8/socket.py", line 669, in readinto
    return self._sock.recv_into(b)
ConnectionResetError: [Errno 104] Connection reset by peer
----------------------------------------

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: DOMAIN OMITTED
  Type:   connection
  Detail: IP OMITTED: Fetching http://DOMAIN OMITTED/.well-known/acme-challenge/3flLAl8XptS4_p_PO62U8mUzQp4Ncp5NX3iVbYNQv7Q: Connection reset by peer

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate DOMAIN OMITTED with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/DOMAIN OMITTED/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
root@haproxy:~# 


--------------------------------------



# RENEW config file

root@haproxy:~# cat /etc/letsencrypt/renewal/DOMAIN OMITTED.conf
# renew_before_expiry = 30 days
version = 0.31.0
archive_dir = /etc/letsencrypt/archive/DOMAIN OMITTED
cert = /etc/letsencrypt/live/DOMAIN OMITTED/cert.pem
privkey = /etc/letsencrypt/live/DOMAIN OMITTED/privkey.pem
chain = /etc/letsencrypt/live/DOMAIN OMITTED/chain.pem
fullchain = /etc/letsencrypt/live/DOMAIN OMITTED/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = <ACCOUNT OMITTED>
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory

The "connection reset by peer" often means something in front of your server blocked the connection. You should check your firewall. We recently had the vendor Palo Alto Networks change their firewalls to suddenly block http challenges. If you had provided your domain name I could have checked your system but I can only refer you to others just in case this relates to you.

In general, assisting with comms problems without a domain name is very difficult.

3 Likes

Hi MikeMcQ

Thank you for your message, I would like to send you domain details, I wonder if its possible to generate this challenge file manually, as else when I do it using certbot, the challenge is deleted just after the error appear and I am not able to test this manually..

do you know how I can test this, or what do you need I order for checking this for me.

Actually I do have Palo Alto firewall, do you have any idea what to do in order to "allow" HTTP challenges?

as the web URL works without problems when I'm browsing my website and before when I created the certificate I had no problem eighter, so I just assume its the standalone server "plugin" in certbot which was faulty

best regards

1 Like

You can run the "Palo Alto" checks using the curl examples on this post. Of course, change the domain name to yours and make sure to run the test from outside your local network so request passes thru your firewall from outside. If your curl requests behave similarly then it's the firewall.

The instructions were in the post I provided earlier. I don't have one myself but it is described as being the "acme-protocol" rule in the Application rules. You'd have to ask on the Palo Alto forums if you can't find it from that. But, many people have.

You don't need to create any challenge file. You will get a 404 Not Found or a "reset by peer" indicating it was blocked by firewall.

There are good ways to debug the standalone but it seems like it is your firewall so check that first.

3 Likes

If you add the option --debug-challenges to your Certbot command, Certbot will pause when the challenge token is available.

2 Likes

Wauw.. thank you guys, it's true, I just had to enable "acme-protocol" in the firewall inbound policies.

I have been trying to get my certificates renewed for 2 days now (and started to panic, as they are expiring soon), trying to find help for the error codes, however, I failed. I tried to update the distribution kernel version, installed certbot from scratch, and did many other things. I haven't giving the firewall a single though, as it used to work, :slight_smile:

2 Likes