Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command: Using plesk for windows ssl-it.
It produced this output: error: urn:ietf:params:acme:error:connection
My web server is (include version): IIS 10
The operating system my web server runs on is (include version): Windows server 2022 standard
My hosting provider, if applicable, is: liquid web
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Obsidian - 18.0.57 Update #5
This server has been running and generating certificates without a problem until last week.
We are suddenly seeing a large number of failed requests with error 400 connection reset by peer. I can manually navigate to challenge file from my device, or from a phone, never got any errors.
When you say "a large number" do you mean affecting a wide variety of certs? Or just frequently for this specific cert / domain name?
I don't see any past Let's Encrypt certs for this specific domain name.
Can you identify any common elements for the other failures? Are they all on the same server with the same public IP? Or in the same subnet? Or not related at all
Do you have a firewall that blocks specific IP addresses? Or maybe even some sort of DDoS firewall that blocks repeated requests?
Because generally a "reset by peer" is something actively done by some comms device at your facility.
Yes this is a new domain on our server, the common element is our public ip 67.225.137.60
The redirects and 404 you are seeing are only for files that don't exist (if the file doesn't exist the request gets handed over to index.php, but if the file exists you will get the file without any redirects).
Ok so I found the setting that lets me change the url, (but I have no idea if that takes affect immediately or not).
I was able to successfully issue the certificate now, but now I have no idea if that is due to the remove of wordpress, due to changing the validation url or just due to the random nature of the ongoing problem.
Is there any way you can see if my request now came thru the production or staging server?
If the certificate was issue on the staging server and I switch the setting back to use the production server, will this renewal fail? do they have the same data?
In checking logs, I can see that a successful validation shows 6 requests in the server logs (3 each for the domain with and without www), why does it need 3 requests?
(some of the cases where it failed showed 2 successful requests but failed due to the 3rd request apparently failing).
So just to test, I switched back to the staging server and I was able to issue a certificate. Then switched back to the production server and it fails again.
@fagopon It is the same error message and the reason is likely that same. You have something that is blocking some or all IP addresses of Let's Encrypt. But, if you want specific help please start a new Help category thread and answer the questions you will be shown. Often problems that look similar at the start end up being very different.
