ACME Validation failed when generating a Let's Encrypt Certificate with error: "Connection reset by peer", "status": 400"
Information
Summary: |
When attempting to generate a new Let's Encrypt Certificate (LE Cert) for a Virtual Service (VS) the LE Cert generation fails with the following error observer in the system logs: "Connection reset by peer", "status": 400". This article will cover the cause and fix for this issue. |
Environment: |
Product: LoadMaster Version: 7.2.53 and above Platform: Any Application: Any |
Question/Problem Description: |
When trying to generate a new LE Cert for a VS the LE Cert generation fails with error: "Connection reset by peer", "status": 400" What is the cause of the issue and how can it be resolved. |
Steps to Reproduce: |
|
Error Message: |
2023-04-30T15:30:25+03:00 <LoadMaster_hostname> Acme: Validation failed for |
Defect Number: | |
Enhancement Number: | |
Cause: |
The cause of the issue is a misconfiguration in the initial set-up of the virtual service. In order for the LE Cert to be generated successfully the targeted Virtual Service of the LE Cert must be set up in a specific way in order to work as intended. In this case the error "Connection reset by peer", "status": 400" is being made in reference to the port 80 redirect VS as indicated by the following log: "port": "80" If there are real server configured on the port 80 redirect then the LE Cert Generation will fail. This is because the LE Cert bot will always send the first request of HTTP/80 to initialize the connection. After the first request is sent over port 80 it is expected that there will be a redirect to port 443 since all follow up communication by the cert bot will occure over HTTPS/443. If there are real server configured on the port 80 redirect virtual service then the first LE Cert Bot will be sent to the real server and the redirect to 443 will never trigger. As a result the follow up request will be forwarded over HTTPS/443 to the real server over port 80 where the "Connection reset by peer" will trigger. |
Resolution: |
To resolve the issue ensure that there are no real servers configured on the Port 80 redirect virtual service.
Here are the VS configuration requirements when setting up a VS for Let's Encrypt Certificate Generation:
If everything is configured correctly then the LE Cert Generation should work. If the issue persists please contact the LoadMaster support team. |
Workaround: | |
Notes: |
Let's Encrypt Deployment Guide: Let's Encrypt – Kemp Support (kemptechnologies.com) Lets Encrypt Set Up: Let's Encrypt Set Up – Kemp Support (kemptechnologies.com) How to add a port 80 redirect: How to configure a Port 80 Redirect – Kemp Support (kemptechnologies.com) |