Unable to renew or get new certificate - connection reset by peer


My domain is: repo.spirhr.org (which is self hosted, an apache named virtual host reverse proxy for a tomcat server)

I ran this command: sudo certbot certonly --apache

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for repo.spirhr.org
Waiting for verification...
Challenge failed for domain repo.spirhr.org
http-01 challenge for repo.spirhr.org
Cleaning up challenges
Some challenges have failed.

 - The following errors were reported by the server:

   Domain: repo.spirhr.org
   Type:   connection
   Detail: Fetching
   Connection reset by peer

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS (Focal Fossa). It is a Virtualbox VM running on Ubuntu 18.04.3 LTS host.

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.0

I have port 80 and 443 open on the server. I have already issued 3 certificates for other configured Apache named virtual hosts on this server (trying to renew these also fails with the same error). The strange thing is I can see the ‘apache’ plugin is creating the challenge file at /var/lib/letencrypts/http_challenges and also properly modifying the Apache server configuration file for this virtual host. There is no firewall rule that is blocking requests to port 80. I can even access the challenge url (http://repo.spirhr.org/.well-known/acme-challenge/***) from my browser if I stopped certbot in time before it cleans it up and revert the Apache configuration changes. What could be wrong?

Thank you for your help.

$ curl -X GET -I repo.spirhr.org/.well-known/acme-challenge/xx
curl: (56) Recv failure: Connection reset by peer

Same happens for me in a browser.

Do you have any kind of firewall setup?

Does Apace’s error_log show anything for these dropped connections?

That is strange. I have no firewall setup blocking port 80. I don’t see the request in Apache error or access logs. Something must be wrong with my ISP because I can run the same command your are running fine from another host (it gives me 404 not found)

Your webserver is terribly misconfigured. It only seems to answer to HTTP 1.0 requests without a “Host” header.

For example, this command works fine:

curl -Lv --http1.0 -H "Host:" http://repo.spirhr.org/.well-known/acme-challenge/foobar

With the Host header, it resets the connection.

I am not sure if I understand that but It is my understanding that it requires the “Host” header since I have configured named virtual hosts in Apache. It responds to HTTP 1.1 requests with “Host” header as i can view it from my chrome network tab. Can you clarify on this please? Can you access repo.spirhr.org from your browser?

I have also tried it without the host header but in that cases it just returns the response of the first virtual host that is configured on this server (I am not sure if it is supposed to do that but that is another topic)

Not really, just noticing what does and what doesn’t work.

Nope, I can’t.

Well, I am honestly lost at this point (major problem being it is working from my side). Is there a specific configuration in Apache 2.4.41 to enable HTTP 1.1? (I thought that was there out of the box)
I have already issued 3 certificates for this server just a few weeks back and it worked fine then. I haven’t made any changes to its configuration since expect adding this new virtual host.

Apparently some changes are made by my ISP (the details of which I don’t know) but it seems it is, for some reason, blocking http request and only allows https request to sites (that I tried so far) that are using one of IP addresses. This is strange as this blocking seem to be applied only for request that are coming from outside of its service area (i.e from another ISP). This seems why I was able to access the domain at port 80 while others where not able to do so (Where I live there is only one ISP so I am using same ISP as the server hosting the site). I am not sure about how HTTP 1.0 with no Host header was passing through though. Bottom line is letsencrypt can’t access the challenge response from the server using port 80.

1 Like

Check out acme-dns and use DNS validation (either with acme-dns or your dns provider).

Thank you. I will try that. I hope it had automatic renewal for certificates.

I ended up using DNS validation through certbot manual mode for the top level domain and all of the sub-domains (named virtual hosts I have). Since my DNS provider (GoDaddy) was not supported for me to use a pre-existing DNS plugin, I modified the pre validation hook example given at certbot support to utilize the API provided by my DNS provider to automate the creation/update of TXT records. Now certbot renew will be able to renew the certificates automatically (I hope :slight_smile: )

Thank you all for your help.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.