An error occurs when trying to create a certificate


I ask for help.
An error occurs when trying to create a certificate. Part of the logs below.
2017-04-26 09:48:33,395:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#nginx,PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
2017-04-26 09:48:33,396:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-04-26 09:48:33,915:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x3c89050>
Prep: True
2017-04-26 09:48:33,916:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x3c89050> and installer None
2017-04-26 09:48:45,780:DEBUG:acme.client:Sending GET request to
2017-04-26 09:48:45,792:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1):
2017-04-26 09:48:46,143:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/”, line 755, in main
return config.func(config, plugins)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/”, line 666, in certonly
le_client = _init_le_client(config, auth, installer)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/”, line 382, in _init_le_client
acc, acme = _determine_account(config)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/”, line 367, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/”, line 129, in register
acme = acme_from_config_key(config, key)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/”, line 43, in acme_from_config_key
return acme_client.Client(config.server, key=key, net=net)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/”, line 71, in init
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/”, line 642, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/”, line 615, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/”, line 488, in request
resp = self.send(prep, **send_kwargs)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/”, line 609, in send
r = adapter.send(request, **kwargs)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/”, line 497, in send
raise SSLError(e, request=request)
SSLError: (‘bad handshake: Error([],)’,)

Linux localhost 3.10.0-514.16.1.el7.x86_64 #1 SMP Wed Apr 12 15:04:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

[root@localhost letsencrypt]# openssl version
OpenSSL 1.1.0e 16 Feb 2017

[root@localhost letsencrypt]# python -V
Python 2.7.5

What can be done ?


Hi @Apxukoc,

can you share more details?

What command you are running?
Is your DNS correct? (Domainname to IP)
Have your Server a public IP?
Checked your Firewall if it accepts request to HTTP?
Is your Webserver running?

greetz Sm3rT

  1. ./letsencrypt-auto certonly --rsa-key-size 4096 --standalone -d
  2. Yes, the domain is registered and has already received a certificate for it.
  3. Yes, the server has a public address.
    1. Yes, telnet goes to ports 80 and 443. Before I receive the certificate, I stop the server.

I suspect that the problem occurred after the update on OpenSSL 1.1.0
By default, CentOS 7 is running 1.0.1
While I’m trying to find a solution.


Hmm, you tried to give a webroot aswell in your command?

For Example:

./letsencrypt-auto certonly --rsa-key-size 4096 --webroot /path/to/documentroot --standalone -d

Greetz Sm3rT


The problem is due to the update of OpenSSL to version 1.1.0
On the standby machine, where the OpenSSL update is not installed, the subdomain is updated regularly by any means.


Hi @Sm3rT, --webroot doesn’t make sense with --standalone because they are alternatives. If you do need to specify a webroot directory, it should be done with -w (= --webroot-path), not --webroot.



Thanks i use it right in my script, but typed it false here :see_no_evil:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.