Could not connect to host acme-v02.api.letsencrypt.org:443

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
tt-rick
500 Command not understood
Posts: 2
Joined: 2023-12-08 01:38
First name: Rick

Could not connect to host acme-v02.api.letsencrypt.org:443

#1 Post by tt-rick » 2023-12-08 02:05

I'm running FileZilla 1.7.3 on a Windows Server 2022. I setup Let's Encrypt through Filezilla several months ago, and it's been running and updating the certificate successfully until recently. I have not updated Filezilla, or changed anything on the server - although normal Windows Updates, etc are happening automatically. Also checked the firewall, no changes, and still looks good.

I'm not sure how long Filezilla has been failing to renew the certificate - the log file is only retained a couple of days. Based on the certificate Expiration date, I'm guessing 6 days ago.

Log entries (5-Debug) - cleansed of identification :
2023-12-08T01:51:07.909Z == [ACME Daemon] Next certificate to be renewed is registered with the account [https://acme-v02.api.letsencrypt.org/acme/acct/****], for the domains [shadowcontrol.t***].
2023-12-08T01:51:07.909Z == [ACME Daemon] Starting renewal of certificate NOW.
2023-12-08T01:51:07.910Z == [ACME] Listening on 0.0.0.0:80.
2023-12-08T01:51:07.910Z == [ACME] Listening on [::]:80.
2023-12-08T01:51:07.910Z DD [ACME] >>> Entering do_get_certificate
2023-12-08T01:51:07.910Z DD [ACME] >>> Entering do_get_account
2023-12-08T01:51:07.910Z DI [ACME] Getting directory...
2023-12-08T01:51:07.910Z DD [ACME/HTTP Client] Connecting to acme-v02.api.letsencrypt.org:443
2023-12-08T01:51:07.910Z DD [ACME] <<< Leaving do_get_account
2023-12-08T01:51:07.910Z DD [ACME] <<< Leaving do_get_certificate
2023-12-08T01:51:08.323Z DD [ACME/HTTP Client] Certificate is trusted: no
2023-12-08T01:51:08.323Z DW [ACME/HTTP Client] ECONNABORTED - Connection aborted. Could not connect to host acme-v02.api.letsencrypt.org:443.
2023-12-08T01:51:08.323Z !! [ACME] Error: HTTP Internal error: ECONNABORTED - Connection aborted. Could not connect to host acme-v02.api.letsencrypt.org:443.
2023-12-08T01:51:08.323Z DD [ACME] Destroying.
2023-12-08T01:51:08.323Z DD [ACME] Stopping listeners.
2023-12-08T01:51:08.323Z DD [ACME] Destroying sessions.
2023-12-08T01:51:08.323Z !! [ACME Daemon] Finished renewal of certificate for the domains [shadowcontrol.t***], registered with the account [https://acme-v02.api.letsencrypt.org/acme/acct/****]. FAILED.
2023-12-08T01:51:08.323Z !! [ACME Daemon] Retrying in 300 seconds.
2023-12-08T01:51:08.327Z == [ACME Daemon] Next certificate to be renewed is registered with the account [https://acme-v02.api.letsencrypt.org/acme/acct/****], for the domains [shadowcontrol.t***].
2023-12-08T01:51:08.327Z == [ACME Daemon] It will be renewed on the date [Fri, 08 Dec 2023 01:56:08 GMT].
2023-12-08T01:51:08.327Z DW [ACME/HTTP Client] 105. Channel closed with error from source 0.


I've checked that I can get to Let's Encrypt website from the server- all tests are good.

Any thoughts where to look next?

User avatar
oibaf
Contributor
Posts: 379
Joined: 2021-07-16 21:02
First name: Fabio
Last name: Alemagna

Re: Could not connect to host acme-v02.api.letsencrypt.org:443

#2 Post by oibaf » 2023-12-08 08:00

From the log, it appears the certificate of the let's encrypt host is not trusted. It means the system trust store is not up to date.

FileZilla Server has no access to the trust store of the browser, which uses its own rather than the system's one, hence why the browser works.

You need to update the operating system's trust store. This is typically done by updating the OS itself.

tt-rick
500 Command not understood
Posts: 2
Joined: 2023-12-08 01:38
First name: Rick

Re: Could not connect to host acme-v02.api.letsencrypt.org:443

#3 Post by tt-rick » 2023-12-11 01:55

Hi oibaf,

Thanks for this.

I had previously checked that there were no Windows Updates outstanding. I checked again, and there were still no Windows Updates outstanding, just the nuisanse Defender Antivirus Update.
I had already checked the system trust store (MMC > local computer certificates > Trusted Root Certification Authority store > certificates). Checked again that the ISRG Root X1 certificate was there and confirmed that it appears to be up-to-date.
Tried to renew the certificate again, still no joy.

While checking this I noticed that the server had not rebooted for a couple of months, so I scheduled a reboot of the server over the weekend. And have come in this mornng to see the certificate has successfully renewed!!! Mark it up to another MS glitch :(

Anyhow, thanks for your confirmation that it was an issue with trusting the certificate. It stopped me going off on a tangent.

User avatar
botg
Site Admin
Posts: 35455
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: Could not connect to host acme-v02.api.letsencrypt.org:443

#4 Post by botg » 2023-12-11 08:56

"Have you tried turning it off and on again?" ;)

Post Reply