Archlinux | how to configur Let's encrypt

Server
1

Hello,

I'm facing some difficulties to configure "Let's Encrypt" on my VPS

Server: VPS SSD OVH > Cheap VPS: Powerful & Low-Cost Starter VPS | OVHcloud
LAMP (Archlinux, Apache, MariaDB, PHP7.1)
Virtual host ( 2 wordpress)

First source:

So first I installed the package "certbot" and "certbot-apache"

$ sudo pacman -S certbot
$ sudo pacman -S certbot-apache

Then, I tried to generate and validate a certificate

$ sudo certbot --apache -d www.universal-genesis.net

but it doesn't work, because the connection was refused (I forgot to listen the port 443 > httpd.conf), so I tried to generate a certificate in standalone, and it worked.

$ sudo certbot certonly --standalone -d www.universal-genesis.net

the certificate was save in the folder /etc/letsencrypt/live/www.universal-genesis.net but I didn't find any information about how to use it...

I would like my website to be accessible on https://universal-genesis.net and https://www.universal-genesis.net. How should I do? Are there any variation with the virtualhost?

second source: Apache HTTP Server - ArchWiki

Looking for more information, I found the page about Apache talking about TLS & SSL. So I edited the file httpd.conf, to make it listens to the port 443, retried the certbot command and get a new error message "Server only speaks HTTP, not TLS"

sudo nano /etc/httpd/conf/httpd.conf
listen 443
certbot --apache -d www.universal-genesis.net

So I continued the instructions about TLS & SSL, loading the modules and including httpd-ssl.conf, but I'm not sure i'm going in the right direction...

anybody could help me, please?

Thanks for your time,
Red'

2

Hi @Redgard,

The idea that the Apache server already needs to be listening on port 443 in order to use certbot --apache is a misconception. Certbot is happy to reconfigure Apache to listen on port 443 temporarily if it’s not already listening.

However, if you manually add a Listen 443 directive without other matching directives like SSLCertificateFile (and SSLEngine on), then you do tend to get the error about a server speaking HTTP on port 443 instead of HTTPS, because it doesn’t know to speak HTTPS.

I’m not sure why your initial --apache method didn’t work; maybe it would be good to try to debug that.

Alternatively, you can find a tutorial on configuring Apache with a new certificate (including the appropriate directives beginning with SSL), or you can try to use Certbot’s support for installing in Apache for you.

You could try certbot -a standalone -i apache -d www.universal-genesis.net to tell Certbot to do this, although this is a potential problem for renewal because you will also need to stop your existing Apache server when renewing the certificate (which you can do with something like --pre-hook "service apache2 stop" --post-hook "service apache2 start", but this might not be how you want things to work).

3

If I use “certbot -a standalone -i apache -d www.universal-genesis.net”, should it be possible it could be a problem with the creation of a systemd > https://wiki.archlinux.org/index.php/Let’s_Encrypt#Automatic_renewal

What do you mean by certbot’s support? this forum isn’t the support?

4

I'm not very familiar with the suggestions there, but if you look just a little bit further down the page, they offer advice for people who are using standalone ("When using the standalone method you should stop your webserver before executing the renew request, and start your webserver when Certbot is finished. Certbot provides hooks to automatically stop and restart a web server."). I think their advice will work if you end up continuing to use standalone.

The point of -i apache (which is not very well known) is that Certbot can try to edit your Apache configuration files to set up your Apache server to use the certificate that it obtained, even when it obtained it via another method, such as the standalone method.

Oh, that's just two different meanings of support. :slight_smile:

Certbot's support for X = Certbot's ability to do X; the Certbot feature that does X
support for Certbot = people helping you use Certbot (including this forum)

5

something i should post from the start. this is the log, when I execute the command certbot --apache

Logs of Let's encrypt

2017-07-27 16:19:27,258:DEBUG:certbot.main:certbot version: 0.16.0
2017-07-27 16:19:27,259:DEBUG:certbot.main:Arguments: ['--email', 'universal.g3nesis@gmail.com', '--webroot', '-w', '/var/lib/letsencrypt/', '-d', 'universal-genesis.net']
2017-07-27 16:19:27,260:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-07-27 16:19:27,275:DEBUG:certbot.log:Root logging level set at 20
2017-07-27 16:19:27,275:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-07-27 16:19:27,276:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-07-27 16:19:27,280:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f5327779ac8>
Prep: True
2017-07-27 16:19:27,280:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f5327779ac8> and installer None
2017-07-27 16:19:27,401:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-07-27 16:19:27,405:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.16.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 743, in main
return config.func(config, plugins)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 667, in certonly
le_client = _init_le_client(config, auth, installer)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 383, in _init_le_client
acc, acme = _determine_account(config)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 368, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File "/usr/lib/python3.6/site-packages/certbot/client.py", line 162, in register
acme = acme_from_config_key(config, key)
File "/usr/lib/python3.6/site-packages/certbot/client.py", line 45, in acme_from_config_key
return acme_client.Client(config.server, key=key, net=net)
File "/usr/lib/python3.6/site-packages/acme/client.py", line 71, in init
self.net.get(directory).json())
File "/usr/lib/python3.6/site-packages/acme/client.py", line 654, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3.6/site-packages/acme/client.py", line 627, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 502, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 612, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 407, in send
self.cert_verify(conn, request.url, verify, cert)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 226, in cert_verify
"invalid path: {0}".format(cert_loc))
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ssl/certs/ca-certificates.crt

With certbot --debug:

2017-07-27 16:19:27,258:DEBUG:certbot.main:certbot version: 0.16.0
2017-07-27 16:19:27,259:DEBUG:certbot.main:Arguments: ['--email', 'universal.g3nesis@gmail.com', '--webroot', '-w', '/var/lib/letsencrypt/', '-d', 'universal-genesis.net']
2017-07-27 16:19:27,260:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-07-27 16:19:27,275:DEBUG:certbot.log:Root logging level set at 20
2017-07-27 16:19:27,275:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-07-27 16:19:27,276:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-07-27 16:19:27,280:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f5327779ac8>
Prep: True
2017-07-27 16:19:27,280:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f5327779ac8> and installer None
2017-07-27 16:19:27,401:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-07-27 16:19:27,405:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.16.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 743, in main
return config.func(config, plugins)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 667, in certonly
le_client = _init_le_client(config, auth, installer)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 383, in _init_le_client
acc, acme = _determine_account(config)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 368, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File "/usr/lib/python3.6/site-packages/certbot/client.py", line 162, in register
acme = acme_from_config_key(config, key)
File "/usr/lib/python3.6/site-packages/certbot/client.py", line 45, in acme_from_config_key
return acme_client.Client(config.server, key=key, net=net)
File "/usr/lib/python3.6/site-packages/acme/client.py", line 71, in init
self.net.get(directory).json())
File "/usr/lib/python3.6/site-packages/acme/client.py", line 654, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3.6/site-packages/acme/client.py", line 627, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 502, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 612, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 407, in send
self.cert_verify(conn, request.url, verify, cert)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 226, in cert_verify
"invalid path: {0}".format(cert_loc))
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ssl/certs/ca-certificates.crt

6

certbot -a standalone -i apache -d www.universal-genesis.net

it still doesn't work

console:

[root@vps429820 ~]# certbot -a standalone -i apache -d www.universal-genesis.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.universal-genesis.net-0001.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Could not reverse map the HTTPS VirtualHost to the original

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/www.universal-genesis.net-0001/fullchain.pem.
    Your cert will expire on 2017-10-30. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the "certonly" option. To non-interactively renew all of
    your certificates, run "certbot renew"

Logs

2017-07-27 16:19:31,268:DEBUG:certbot.main:certbot version: 0.16.0
2017-07-27 16:19:31,268:DEBUG:certbot.main:Arguments: ['--email', 'universal.g3nesis@gmail.com', '--webroot', '-w', '/var/lib/letsencrypt/', '-d', 'universal-genesis.net']
2017-07-27 16:19:31,269:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-07-27 16:19:31,282:DEBUG:certbot.log:Root logging level set at 20
2017-07-27 16:19:31,283:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-07-27 16:19:31,283:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2017-07-27 16:19:31,287:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fd89af6bac8>
Prep: True
2017-07-27 16:19:31,287:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fd89af6bac8> and installer None
2017-07-27 16:19:31,439:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-07-27 16:19:31,442:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.16.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 743, in main
return config.func(config, plugins)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 667, in certonly
le_client = _init_le_client(config, auth, installer)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 383, in _init_le_client
acc, acme = _determine_account(config)
File "/usr/lib/python3.6/site-packages/certbot/main.py", line 368, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File "/usr/lib/python3.6/site-packages/certbot/client.py", line 162, in register
acme = acme_from_config_key(config, key)
File "/usr/lib/python3.6/site-packages/certbot/client.py", line 45, in acme_from_config_key
return acme_client.Client(config.server, key=key, net=net)
File "/usr/lib/python3.6/site-packages/acme/client.py", line 71, in init
self.net.get(directory).json())
File "/usr/lib/python3.6/site-packages/acme/client.py", line 654, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3.6/site-packages/acme/client.py", line 627, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 502, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 612, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 407, in send
self.cert_verify(conn, request.url, verify, cert)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 226, in cert_verify
"invalid path: {0}".format(cert_loc))
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ssl/certs/ca-certificates.crt

7

I’m really confused about how sudo certbot certonly --standalone -d www.universal-genesis.net could have worked if you don’t have the operating system CA bundle. Did you install or remove other operating system packages recently?

The error message that you’re getting is about an extremely important missing file which should have been installed by an OS package and which allows validating the certificates of other HTTPS and TLS services that you connect to from your server, in this case the API of the Let’s Encrypt CA.

8

I don’t think so…

A received a VPS on Archlinux , then install apache, php7.1, MariaDB, phpmyadmin
https://wiki.archlinux.org/index.php/Apache_HTTP_Server

Then I installed wordpress:
https://wiki.archlinux.org/index.php/Wordpress

After that I install cerbot, and tried to generate a certificate.
https://wiki.archlinux.org/index.php/Let’s_Encrypt#Automatic_renewal

but maybe a package is corrupted and I should reinstall it. I don’t know it is my first server, so i’m still learning ^^'
at the very start when i tried to install Let’s Encrypt, I’ve got a problem with it, so I have to update the server and reinstalled certbot.

9

Can you use curl, wget, and openssl to connect to HTTPS sites from your server? Like

curl https://www.google.com/
wget -O- https://www.google.com/
openssl s_client -connect www.google.com:443 -servername www.google.com
10

Is it helpfull?
curl https://www.google.com/

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.fr/?gfe_rd=cr&amp;ei=17aAWZrvNqvD7gSqyquACg">here</A>.
</BODY></HTML>

wget -O- https://www.google.com/

--2017-08-01 19:14:28--  https://www.google.com/
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.google.com... 173.194.44.83, 173.194.44.82, 173.194.44.81, ...
Connecting to www.google.com|173.194.44.83|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.google.fr/?gfe_rd=cr&ei=8raAWczxOMrD7gTUl79I [following]
--2017-08-01 19:14:28--  https://www.google.fr/?gfe_rd=cr&ei=8raAWczxOMrD7gTUl79I
Resolving www.google.fr... 173.194.44.79, 173.194.44.87, 173.194.44.88, ...
Connecting to www.google.fr|173.194.44.79|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'STDOUT'

-                                           [<=>                                                                          ]       0  --.-KB/s               <!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="fr"><head><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script>(function(){window.google={kEI:'_7aAWYuiLsLF6AT8i5aICg',kEXPI:'1352960,1353383,1354276,1354296,1354516,1354562,1354625,3700290,3700347,3700433,3700442,4029815,4031109,4043492,4045841,4048347,4072774,4076999,4078430,4081038,4081164,4093313,4094544,4095910,4097153,4097470,4097922,4097929,4097953,4097969,4097981,4098733,4098740,4098752,4103475,4103861,4104258,4105085,4106085,4106626,4107555,4108122,4109316,4109489,4110255,4110426,4110656,4113148,4113217,4113495,4113769,4114975,4115338,4116649,4116875,4117533,4117980,4118226,4118281,4118475,4118626,4118798,4118976,4118977,4119026,4119107,4119239,4119272,4119583,4119611,4119619,4119625,4119811,4119820,4120006,4120278,4120289,4120508,4120854,4120916,4121035,4121515,4121743,4121792,4121851,4122023,4122704,4122723,4123211,4123381,4124288,4124377,4124956,4124963,8300536,10200083,19002820,19002935',authuser:0,kscs:'c9c918f0_24'};google.kHL='fr';})();(function(){google.lc=[];google.li=0;google.getEI=function(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||google.kEI};google.getLEI=function(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b};google.https=function(){return"https:"==window.location.protocol};google.ml=function(){return null};google.wl=function(a,b){try{google.ml(Error(a),!1,b)}catch(c){}};google.time=function(){return(new Date).getTime()};google.log=function(a,b,c,d,g){if(a=google.logUrl(a,b,c,d,g)){b=new Image;var e=google.lc,f=google.li;e[f]=b;b.onerror=b.onload=b.onabort=function(){delete e[f]};google.vel&&google.vel.lu&&google.vel.lu(a);b.src=a;google.li=f+1}};google.logUrl=function(a,b,c,d,g){var e="",f=google.ls||"";c||-1!=b.search("&ei=")||(e="&ei="+google.getEI(d),-1==b.search("&lei=")&&(d=google.getLEI(d))&&(e+="&lei="+d));a=c||"/"+(g||"gen_204")+"?atyp=i&ct="+a+"&cad="+b+e+f+"&zx="+google.time();/^http:/i.test(a)&&google.https()&&(google.ml(Error("a"),!1,{src:a,glmm:1}),a="");return a};google.y={};google.x=function(a,b){if(a)var c=a.id;else{do c=Math.random();while(google.y[c])}google.y[c]=[a,b];return!1};google.lq=[];google.load=function(a,b,c){google.lq.push([[a],b,c])};google.loadAll=function(a,b){google.lq.push([a,b])};}).call(this);google.f={};var a=window.location,b=a.href.indexOf("#");if(0<=b){var c=a.href.substring(b+1);/(^|&)q=/.test(c)&&-1==c.indexOf("#")&&a.replace("/search?"+c.replace(/(^|&)fp=[^&]*/g,"")+"&cad=h")};</script><style>#gbar,#guser{font-size:13px;padding-top:1px !important;}#gbar{height:22px}#guser{padding-bottom:7px !important;text-align:right}.gbh,.gbd{border-top:1px solid #c9d7f1;font-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}@media all{.gb1{height:22px;margin-right:.5em;vertical-align:top}#gbar{float:left}}a.gb1,a.gb4{text-decoration:underline !important}a.gb1,a.gb4{color:#00c !important}.gbi .gb4{color:#dd8e27 !important}.gbf .gb4{color:#900 !important}
</style><style>body,td,a,p,.h{font-family:arial,sans-serif}body{margin:0;overflow-y:scroll}#gog{padding:3px 8px 0}td{line-height:.8em}.gac_m td{line-height:17px}form{margin-bottom:20px}.h{color:#36c}.q{color:#00c}.ts td{padding:0}.ts{border-collapse:collapse}em{font-weight:bold;font-style:normal}.lst{height:25px;width:496px}.gsfi,.lst{font:18px arial,sans-serif}.gsfs{font:17px arial,sans-serif}.ds{display:inline-box;display:inline-block;margin:3px 0 4px;margin-left:4px}input{font-family:inherit}a.gb1,a.gb2,a.gb3,a.gb4{color:#11c !important}body{background:#fff;color:black}a{color:#11c;text-decoration:none}a:hover,a:active{text-decoration:underline}.fl a{color:#36c}a:visited{color:#551a8b}a.gb1,a.gb4{text-decoration:underline}a.gb3:hover{text-decoration:none}#ghead a.gb2:hover{color:#fff !important}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#eee;border:solid 1px;border-color:#ccc #999 #999 #ccc;height:30px}.lsbb{display:block}.ftl,#fll a{display:inline-block;margin:0 12px}.lsb{background:url(/images/nav_logo229.png) 0 -261px repeat-x;border:none;color:#000;cursor:pointer;height:30px;margin:0;outline:0;font:15px arial,sans-serif;vertical-align:top}.lsb:active{background:#ccc}.lst:focus{outline:none}</style><script></script><link href="/images/branding/product/ico/googleg_lodp.ico" rel="shortcut icon"></head><body bgcolor="#fff"><script>(function(){var src='/images/nav_logo229.png';var iesg=false;document.body.onload = function(){window.n && window.n();if (document.images){new Image().src=src;}
if (!iesg){document.f&&document.f.q.focus();document.gbqf&&document.gbqf.q.focus();}
}
})();</script><div id="mngb"> <div id=gbar><nobr><b class=gb1>Recherche</b> <a class=gb1 href="https://www.google.fr/imghp?hl=fr&tab=wi">Images</a> <a class=gb1 href="https://maps.google.fr/maps?hl=fr&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=fr&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?gl=FR&tab=w1">YouTube</a> <a class=gb1 href="https://news.google.fr/nwshp?hl=fr&tab=wn">Actualit▒s</a> <a class=gb1 href="https://mail.google.com/mail/?tab=wm">Gmail</a> <a class=gb1 href="https://drive.google.com/?tab=wo">Drive</a> <a class=gb1 style="text-decoration:none" href="https://www.google.fr/intl/fr/options/"><u>Plus</u> &raquo;</a></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe></span><a href="http://www.google.fr/history/optout?hl=fr" class=gb4>Historique Web</a> | <a  href="/preferences?hl=fr" class=gb4>Param▒tres</a> | <a target=_top id=gb_70 href="https://accounts.google.com/ServiceLogin?hl=fr&passive=true&continue=https://www.google.fr/%3Fgfe_rd%3Dcr%26ei%3D8raAWczxOMrD7gTUl79I" class=gb4>Connexion</a></nobr></div><div class=gbh style=left:0></div><div class=gbh style=right:0></div> </div><center><br clear="all" id="lgpd"><div id="lga"><div style="padding:28px 0 3px"><div style="height:110px;width:276px;background:url(/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png) no-repeat" title="Google" align="left" id="hplogo" onload="window.lol&&lol()"><div style="color:#777;font-size:16px;font-weight:bold;position:relative;top:70px;left:218px" nowrap="">France</div></div></div><br></div><form action="/search" name="f"><table cellpadding="0" cellspacing="0"><tr valign="top"><td width="25%">&nbsp;</td><td align="center" nowrap=""><input name="ie" value="ISO-8859-1" type="hidden"><input value="fr" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input name="bih" type="hidden"><div class="ds" style="height:32px;margin:4px 0"><input style="color:#000;margin:0;padding:5px 8px 0 6px;vertical-align:top" autocomplete="off" class="lst" value="" title="Recherche Google" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Recherche Google" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" value="J'ai de la chance" name="btnI" onclick="if(this.form.q.value)this.checked=1; else top.location='/doodles/'" type="submit"></span></span></td><td class="fl sblc" align="left" nowrap="" width="25%"><a href="/advanced_search?hl=fr&amp;authuser=0">Recherche avanc▒e</a><a href="/language_tools?hl=fr&amp;authuser=0">Outils linguistiques</a></td></tr></table><input id="gbv" name="gbv" type="hidden" value="1"></form><div id="gac_scont"></div><div style="font-size:83%;min-height:3.5em"><br></div><span id="footer"><div style="font-size:10pt"><div style="margin:19px auto;text-align:center" id="fll"><a href="/intl/fr/ads/">Solutions publicitaires</a><a href="/services/">Solutions d'entreprise</a><a href="https://plus.google.com/106901486880272202822" rel="publisher">+Google</a><a href="/intl/fr/about.html">▒ propos de Google</a><a href="https://www.google.fr/setprefdomain?prefdom=US&amp;sig=__nj7_JyaB5kaAgs2j41XRKmKOkr0%3D" id="fehl">Google.com</a></div></div><p style="color:#767676;font-size:8pt">&copy; 2017 - <a href="/intl/fr/policies/privacy/">Confidentialit▒</a> - <a href="/intl/fr/policies/terms/">Conditions</a></p></span></center><script>(function(){window.google.cdo={height:0,width:0};(function(){var a=window.innerWidth,b=window.innerHeight;if(!a||!b){var c=window.document,d="CSS1Compat"==c.compatMode?c.documentElement:c.body;a=d.clientWidth;b=d.clientHeight}a&&b&&(a!=google.cdo.width||b!=google.cdo.height)&&google.log("","","/client_204?&atyp=i&biw="+a+"&bih="+b+"&ei="+google.kEI);}).call(this);})();</script><div id="xjsd"></div><div id="xjsi"><script>(function(){function c(b){window.setTimeout(function(){var a=document.createElement("script");a.src=b;document.getElementById("xjsd").appendChild(a)},0)}google.dljp=function(b,a){google.xjsu=b;c(a)};google.dlj=c;}).call(this);(function(){window.google.xjsrm=[];})();if(google.y)google.y.first=[];if(!google.xjs){window._=window._||{};window._DumpException=window._._DumpException=function(e){throw e};if(google.timers&&google.timers.load.t){google.timers.load.t.xjsls=new Date().getTime();}google.dljp('/xjs/_/js/k\x3dxjs.hp.en_US.l9nuOJvrlIg.O/m\x3dsb_he,d/am\x3dADA/rt\x3dj/d\x3d1/t\x3dzcms/rs\x3dACT90oHlNadhFEbQslAgqavW6vKUeUByWQ','/xjs/_/js/k\x3dxjs.hp.en_US.l9nuOJvrlIg.O/m\x3dsb_he,d/am\x3dADA/rt\x3dj/d\x3d1/t\x3dzcms/rs\x3dACT90oHlNadhFEbQslAgqavW6vKUeUByWQ');google.xjs=1;}google.pmc={"sb_he":{"agen":false,"cgen":false,"client":"heirloom-hp","dh":true,"dhqt":true,"ds":"","fl":true,"host":"google.fr","isbh":28,"jam":0,"jsonp":true,"lm":true,"msgs":{"cibl":"Effacer la recherche","dym":"Essayez avec cette orthographe :","lcky":"J\u0026#39;ai de la chance","lml":"En savoir plus","oskt":"Outils de saisie","psrc":"Cette suggestion a bien ▒t▒ supprim▒e de votre \u003Ca href=\"/history\"\u003Ehistorique Web\u003C/a\u003E.","psrl":"Supprimer","sbit":"Recherche par image","srch":"Recherche Google"},"nds":true,"ovr":{},"pq":"","refpd":true,"rfs":[],"sbpl":24,"sbpr":24,"scd":10,"sce":5,"stok":"6sO8aJdag-RCmWUX52qJ8UO6N0w"},"d":{},"aWiv7g":{},"YFCs/g":{}};google.y.first.push(function(){if(google.med){google.med('init');google.initHistory();google.med('history');}});if(google.j&&google.j.en&&google.j.xi){window.setTimeout(google.j.xi,0);}
-                                           [ <=>                                                                         ]  10.28K  --.-KB/s    in 0.002s

2017-08-01 19:14:41 (4.07 MB/s) - written to stdout [10524]

openssl s_client -connect www.google.com:443 -servername www.google.com

CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = www.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIXs2UqSQjeX0wDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNzE5MTE1NTU3WhcNMTcxMDExMTEzMTAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDC0ch6
9mIeccIcKfXTYdiuWRS2iXVPjM6m+u6JwQ0rNMaUyynZ4D7mxLzanOCavewgCKs+
nt18RZ5kZOofE2dfl1YMmnPLDwAk2SQ3GRBTsltKRONto7Ub9AK5E9ZN+Zfg8VGf
xaduT3gqE3telPCHEoiXHfNhR0+qSXMhg35KXgU9EISTKo7tqPOhZg80qSkqItkP
GkRsTOfyxGLrzlUliR8qxXVuhho/cQQhM0eggHw176jgF0lasG7vxmx9qHILLx+X
5xo0sJrb4D4E4xrmGEISy5VDAS0fgrr7IzeNVaypTzZmzT9se/U7TjY2DVjQOHq+
0vegFQuok0EmxzjpAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSNLiWf5cflJjv+MCFRKdjhWw1wPTAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAZbJp48Od2jwHn2jM
EDWLyuigWBR1oF+J8ntDkB8Sbvccx5Ihk+B5LjJWVbvUGkjlDwBhQbaUvBuUPgyh
FdMptwL6YJ7OHAJGQwjdloOiCoQQif2qaTbmYu1Y8akGXxuUdGd7KmtmvR6Id/lN
5rnvj90+u1w/7HEybgzKvIPKrwmobQc0sKNfFtTXcMI6KiFiVLQ0QCXsetfV4RMD
EcN6RNRRK1eENq7UZAk7ZXsARw8Qf2ux5IWysycEgCV7wgTKrLhtNPXU/bxAAAEN
H6ao8RLiWT+GsCeQltF7E7ryDwXYbDnUpnFtERdcMQ+xD+wyWaibr6WSSJ1IyEaG
l2qTvw==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3818 bytes and written 284 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: AFB035400F9C1A3B1EE4DB9BC80BA67771806D050D564A4B20C82085C09888C6
    Session-ID-ctx:
    Master-Key: 7BFF421FFDF5EEC89697F92591793804AD0E86F7A8A57D891235FCEFC7CA94A0D4DF2558F36E4BC0B09AC1CA8ED33371
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 00 f2 c2 a9 47 97 ff 39-d2 a6 fd 93 ab 01 e4 93   ....G..9........
    0010 - ba 35 bc 8b 9f 57 a7 d6-c7 05 51 58 f4 39 0a 02   .5...W....QX.9..
    0020 - d6 75 71 cd a8 37 b3 78-c7 35 82 9b be 8a 11 79   .uq..7.x.5.....y
    0030 - 8a ec 8a fc e7 44 67 5f-b6 fe fa 43 9d 17 d0 2e   .....Dg_...C....
    0040 - 8e 6b 99 96 17 f7 f5 f2-c5 1e f8 e8 1e 0e a7 75   .k.............u
    0050 - d8 f6 e0 c0 af aa a6 df-0a a4 6a 00 d2 ca e0 dc   ..........j.....
    0060 - 80 60 fb db e9 44 61 b5-f7 fc 03 58 ea c1 73 55   .`...Da....X..sU
    0070 - 11 7a 05 6c a7 c0 c8 75-d3 4c e7 76 84 1e 98 9c   .z.l...u.L.v....
    0080 - fd f0 fb 6a 6a dd 2d 57-ff 42 a4 f4 25 f6 49 47   ...jj.-W.B..%.IG
    0090 - 6b c3 24 3e 9f 9f 97 79-61 30 4c cc 7a 06 13 a1   k.$>...ya0L.z...
    00a0 - 27 a1 ef 3e 57 fc 5a 50-e8 44 18 19 a6 e4 c0 79   '..>W.ZP.D.....y
    00b0 - 0c 3f 56 87 84 02 d6 ac-f6 b1 12 54 3d 0c dc 18   .?V........T=...
    00c0 - aa 74 05 82 e2 2d 60 44-20 0f 64 fc dd aa 6e 7c   .t...-`D .d...n|
    00d0 - 89 4f 69 bc 5d 85 2e aa-bc 38 c3 07 fe 4e 82 ac   .Oi.]....8...N..
    00e0 - f3 91 0a 9d 82 31 8c 45-35 4d 8e 60               .....1.E5M.`

    Start Time: 1501607707
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
11

OK, this is especially bizarre because wget specifically mentioned that it’s using the same file /etc/ssl/certs/ca-certificates.crt.

Can you try running

python -c 'import requests; requests.get("https://www.google.com/")'

This is more similar to what Certbot is doing. (If it succeeds, there should be no output at all.)

12

no output at all… so? any idea about what’s wrong with the VPS?

EDIT: I don’t know if it can help…
systemctl --all

  UNIT                                                                        LOAD      ACTIVE   SUB       DESCRIPTION
  proc-sys-fs-binfmt_misc.automount                                           loaded    active   waiting   Arbitrary Executable File Formats File System Auto
● org.freedesktop.network1.busname                                            not-found inactive dead      org.freedesktop.network1.busname
● org.freedesktop.resolve1.busname                                            not-found inactive dead      org.freedesktop.resolve1.busname
  dev-disk-by\x2dpartuuid-2d4b88ef\x2d01.device                               loaded    active   plugged   /dev/disk/by-partuuid/2d4b88ef-01
  dev-disk-by\x2dpath-pci\x2d0000:00:04.0.device                              loaded    active   plugged   /dev/disk/by-path/pci-0000:00:04.0
  dev-disk-by\x2dpath-pci\x2d0000:00:04.0\x2dpart1.device                     loaded    active   plugged   /dev/disk/by-path/pci-0000:00:04.0-part1
  dev-disk-by\x2dpath-virtio\x2dpci\x2d0000:00:04.0.device                    loaded    active   plugged   /dev/disk/by-path/virtio-pci-0000:00:04.0
  dev-disk-by\x2dpath-virtio\x2dpci\x2d0000:00:04.0\x2dpart1.device           loaded    active   plugged   /dev/disk/by-path/virtio-pci-0000:00:04.0-part1
  dev-disk-by\x2duuid-52d0c25c\x2d2e4e\x2d473b\x2d81eb\x2d56b46711a793.device loaded    active   plugged   /dev/disk/by-uuid/52d0c25c-2e4e-473b-81eb-56b46711
  dev-ttyS0.device                                                            loaded    active   plugged   /dev/ttyS0
  dev-ttyS1.device                                                            loaded    active   plugged   /dev/ttyS1
  dev-ttyS2.device                                                            loaded    active   plugged   /dev/ttyS2
  dev-ttyS3.device                                                            loaded    active   plugged   /dev/ttyS3
  dev-vda.device                                                              loaded    active   plugged   /dev/vda
  dev-vda1.device                                                             loaded    active   plugged   /dev/vda1
  sys-devices-pci0000:00-0000:00:03.0-virtio0-net-eth0.device                 loaded    active   plugged   Virtio network device
  sys-devices-pci0000:00-0000:00:04.0-virtio1-block-vda-vda1.device           loaded    active   plugged   /sys/devices/pci0000:00/0000:00:04.0/virtio1/block
  sys-devices-pci0000:00-0000:00:04.0-virtio1-block-vda.device                loaded    active   plugged   /sys/devices/pci0000:00/0000:00:04.0/virtio1/block
  sys-devices-platform-serial8250-tty-ttyS2.device                            loaded    active   plugged   /sys/devices/platform/serial8250/tty/ttyS2
  sys-devices-platform-serial8250-tty-ttyS3.device                            loaded    active   plugged   /sys/devices/platform/serial8250/tty/ttyS3
  sys-devices-pnp0-00:04-tty-ttyS0.device                                     loaded    active   plugged   /sys/devices/pnp0/00:04/tty/ttyS0
  sys-devices-pnp0-00:05-tty-ttyS1.device                                     loaded    active   plugged   /sys/devices/pnp0/00:05/tty/ttyS1
  sys-module-configfs.device                                                  loaded    active   plugged   /sys/module/configfs
  sys-subsystem-net-devices-eth0.device                                       loaded    active   plugged   Virtio network device
  -.mount                                                                     loaded    active   mounted   Root Mount
  dev-hugepages.mount                                                         loaded    active   mounted   Huge Pages File System
  dev-mqueue.mount                                                            loaded    active   mounted   POSIX Message Queue File System
  proc-sys-fs-binfmt_misc.mount                                               loaded    inactive dead      Arbitrary Executable File Formats File System
  run-user-0.mount                                                            loaded    active   mounted   /run/user/0
  sys-fs-fuse-connections.mount                                               loaded    inactive dead      FUSE Control File System
  sys-kernel-config.mount                                                     loaded    active   mounted   Kernel Configuration File System
  sys-kernel-debug.mount                                                      loaded    active   mounted   Kernel Debug File System
  tmp.mount                                                                   loaded    active   mounted   Temporary Directory (/tmp)
  var-lib-machines.mount                                                      loaded    inactive dead      Virtual Machine and Container Storage
  systemd-ask-password-console.path                                           loaded    active   waiting   Dispatch Password Requests to Console Directory Wa
  systemd-ask-password-wall.path                                              loaded    active   waiting   Forward Password Requests to Wall Directory Watch
  init.scope                                                                  loaded    active   running   System and Service Manager
  session-c1.scope                                                            loaded    active   running   Session c1 of user root
  session-c5.scope                                                            loaded    active   running   Session c5 of user root
● auditd.service                                                              not-found inactive dead      auditd.service
  cloud-config.service                                                        loaded    active   exited    Apply the settings specified in cloud-config
  cloud-final.service                                                         loaded    active   exited    Execute cloud user/final scripts
  cloud-init-local.service                                                    loaded    active   exited    Initial cloud-init job (pre-networking)
  cloud-init.service                                                          loaded    active   exited    Initial cloud-init job (metadata service crawler)
  dbus.service                                                                loaded    active   running   D-Bus System Message Bus
● display-manager.service                                                     not-found inactive dead      display-manager.service
  dm-event.service                                                            loaded    inactive dead      Device-mapper event daemon
  emergency.service                                                           loaded    inactive dead      Emergency Shell
  getty@tty1.service                                                          loaded    active   running   Getty on tty1
  httpd.service                                                               loaded    active   running   Apache Web Server
  initrd-cleanup.service                                                      loaded    inactive dead      Cleaning Up and Shutting Down Daemons
  initrd-parse-etc.service                                                    loaded    inactive dead      Reload Configuration from the Real Root
  initrd-switch-root.service                                                  loaded    inactive dead      Switch Root
  initrd-udevadm-cleanup-db.service                                           loaded    inactive dead      Cleanup udevd DB
  kmod-static-nodes.service                                                   loaded    active   exited    Create list of required static device nodes for th
  ldconfig.service                                                            loaded    active   exited    Rebuild Dynamic Linker Cache
  logrotate.service                                                           loaded    inactive dead      Rotate log files
  lvm2-lvmetad.service                                                        loaded    inactive dead      LVM2 metadata daemon
  man-db.service                                                              loaded    inactive dead      Update man-db cache
  mariadb.service                                                             loaded    active   running   MariaDB database server
  mkinitcpio-generate-shutdown-ramfs.service                                  loaded    inactive dead      Generate shutdown-ramfs
  pacman-reanimation.service                                                  loaded    inactive dead      Pacman reanimation
● plymouth-quit-wait.service                                                  not-found inactive dead      plymouth-quit-wait.service
● plymouth-start.service                                                      not-found inactive dead      plymouth-start.service
● rc-local.service                                                            not-found inactive dead      rc-local.service
  rescue.service                                                              loaded    inactive dead      Rescue Shell
  serial-getty@ttyS0.service                                                  loaded    active   running   Serial Getty on ttyS0
  shadow.service                                                              loaded    inactive dead      Verify integrity of password and group files
● sshd-keygen.service                                                         not-found inactive dead      sshd-keygen.service
  sshd.service                                                                loaded    active   running   OpenSSH Daemon
  sshdgenkeys.service                                                         loaded    inactive dead      SSH Key Generation
● syslog.service                                                              not-found inactive dead      syslog.service
  systemd-ask-password-console.service                                        loaded    inactive dead      Dispatch Password Requests to Console
  systemd-ask-password-wall.service                                           loaded    inactive dead      Forward Password Requests to Wall
  systemd-binfmt.service                                                      loaded    inactive dead      Set Up Additional Binary Formats
  systemd-coredump@0.service                                                  loaded    inactive dead      Process Core Dump
  systemd-firstboot.service                                                   loaded    inactive dead      First Boot Wizard
  systemd-fsck-root.service                                                   loaded    inactive dead      File System Check on Root Device
  systemd-hwdb-update.service                                                 loaded    inactive dead      Rebuild Hardware Database
  systemd-initctl.service                                                     loaded    inactive dead      /dev/initctl Compatibility Daemon
  systemd-journal-catalog-update.service                                      loaded    active   exited    Rebuild Journal Catalog
  systemd-journal-flush.service                                               loaded    active   exited    Flush Journal to Persistent Storage
  systemd-journald.service                                                    loaded    active   running   Journal Service
  systemd-logind.service                                                      loaded    active   running   Login Service
  systemd-machine-id-commit.service                                           loaded    inactive dead      Commit a transient machine-id on disk
  systemd-modules-load.service                                                loaded    inactive dead      Load Kernel Modules
  systemd-networkd.service                                                    loaded    active   running   Network Service
  systemd-random-seed.service                                                 loaded    active   exited    Load/Save Random Seed
  systemd-remount-fs.service                                                  loaded    active   exited    Remount Root and Kernel File Systems
  systemd-resolved.service                                                    loaded    active   running   Network Name Resolution
  systemd-sysctl.service                                                      loaded    active   exited    Apply Kernel Variables
  systemd-sysusers.service                                                    loaded    active   exited    Create System Users
  systemd-tmpfiles-clean.service                                              loaded    inactive dead      Cleanup of Temporary Directories
  systemd-tmpfiles-setup-dev.service                                          loaded    active   exited    Create Static Device Nodes in /dev
  systemd-tmpfiles-setup.service                                              loaded    active   exited    Create Volatile Files and Directories
  systemd-udev-trigger.service                                                loaded    active   exited    udev Coldplug all Devices
  systemd-udevd.service                                                       loaded    active   running   udev Kernel Device Manager
  systemd-update-done.service                                                 loaded    active   exited    Update is Completed
  systemd-update-utmp.service                                                 loaded    active   exited    Update UTMP about System Boot/Shutdown
  systemd-user-sessions.service                                               loaded    active   exited    Permit User Sessions
  systemd-vconsole-setup.service                                              loaded    inactive dead      Setup Virtual Console
  user@0.service                                                              loaded    active   running   User Manager for UID 0
  vsftpd.service                                                              loaded    active   running   vsftpd daemon
  -.slice                                                                     loaded    active   active    Root Slice
  system-getty.slice                                                          loaded    active   active    system-getty.slice
  system-serial\x2dgetty.slice                                                loaded    active   active    system-serial\x2dgetty.slice
  system-systemd\x2dcoredump.slice                                            loaded    inactive dead      system-systemd\x2dcoredump.slice
  system.slice                                                                loaded    active   active    System Slice
  user-0.slice                                                                loaded    active   active    User Slice of root
  user.slice                                                                  loaded    active   active    User and Session Slice
  dbus.socket                                                                 loaded    active   running   D-Bus System Message Bus Socket
  dm-event.socket                                                             loaded    active   listening Device-mapper event daemon FIFOs
  lvm2-lvmetad.socket                                                         loaded    active   listening LVM2 metadata daemon socket
  syslog.socket                                                               loaded    inactive dead      Syslog Socket
  systemd-coredump.socket                                                     loaded    active   listening Process Core Dump Socket
  systemd-initctl.socket                                                      loaded    active   listening /dev/initctl Compatibility Named Pipe
  systemd-journald-audit.socket                                               loaded    inactive dead      Journal Audit Socket
13

How about trying the same thing with connecting to our API endpoint?

python -c 'import requests; requests.get("https://acme-v01.api.letsencrypt.org/directory")'

14

same thing :s … no output

I’m trying to find how can I give you more information which could help…

15

@bmw also suggested looking at this GitHub issue, which may be related although it wasn’t exactly the same error message.

17

so i’ve just reinstalled the Python library
pacman -S python2-urllib3

annnddd still not… should I restart a service, something like that?

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.universal-genesis.net
Waiting for verification...
Cleaning up challenges
Could not reverse map the HTTPS VirtualHost to the original

IMPORTANT NOTES:
 - Unable to install the certificate
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.universal-genesis.net-0001/fullchain.pem.
   Your cert will expire on 2017-10-30. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"

2017-08-01 23:26:31,141:DEBUG:certbot.main:certbot version: 0.16.0
2017-08-01 23:26:31,144:DEBUG:certbot.main:Arguments: ['--apache']
2017-08-01 23:26:31,144:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-08-01 23:26:31,163:DEBUG:certbot.log:Root logging level set at 20
2017-08-01 23:26:31,164:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-08-01 23:26:31,165:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2017-08-01 23:26:31,297:DEBUG:certbot_apache.configurator:Apache version is 2.4.27
2017-08-01 23:26:31,538:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.configurator:ApacheConfigurator
Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x7f65554cbb38>
Prep: True
2017-08-01 23:26:31,540:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheConfigurator object at 0x7f65554cbb38> and installer <certbot_apache.configurator.ApacheConfigurator object at 0x7f65554cbb38>
2017-08-01 23:26:31,549:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f654d583c18>)>), contact=('mailto:universal.g3nesis@gmail.com',), agreement='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', status=None), uri='https://acme-v01.api.letsencrypt.org/acme/reg/19247348', new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), 0472694bd7b6eaee61322065fe4cc582, Meta(creation_dt=datetime.datetime(2017, 7, 27, 19, 20, 39, tzinfo=<UTC>), creation_host='vps429820.ovh.net'))>
2017-08-01 23:26:31,551:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-08-01 23:26:31,555:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-08-01 23:26:31,799:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 352
2017-08-01 23:26:31,799:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 352
Boulder-Request-Id: RE94LjszXe-xOpjgR29UUXJdjmzmO4Z_8ecbtpz3kQc
Replay-Nonce: zfoe_Ur16xHiXYAwfSLnGqBe05JaV_l0h7AF7kLHgfk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 01 Aug 2017 23:26:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 01 Aug 2017 23:26:30 GMT
Connection: keep-alive

b'{\n  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",\n  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2017-08-01 23:26:31,800:DEBUG:certbot.util:Not suggesting name "ug"
2017-08-01 23:26:31,800:DEBUG:certbot.util:ug needs at least two labels
2017-08-01 23:26:31,801:DEBUG:certbot.util:Not suggesting name "vps429820.ovh.net:443"
2017-08-01 23:26:31,801:DEBUG:certbot.util:vps429820.ovh.net:443 contains an invalid character. Valid characters are A-Z, a-z, 0-9, ., and -.
2017-08-01 23:26:34,524:DEBUG:certbot.cert_manager:Renewal conf file /etc/letsencrypt/renewal/universal-genesis.net.conf is broken. Skipping.
2017-08-01 23:26:34,525:DEBUG:certbot.cert_manager:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/certbot/cert_manager.py", line 248, in _search_lineages
    candidate_lineage = storage.RenewableCert(renewal_file, cli_config)
  File "/usr/lib/python3.6/site-packages/certbot/storage.py", line 412, in __init__
    self._check_symlinks()
  File "/usr/lib/python3.6/site-packages/certbot/storage.py", line 471, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/universal-genesis.net/cert.pem to be a symlink

2017-08-01 23:26:34,527:DEBUG:certbot.cert_manager:Renewal conf file /etc/letsencrypt/renewal/www.universal-genesis.net.conf is broken. Skipping.
2017-08-01 23:26:34,527:DEBUG:certbot.cert_manager:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/certbot/cert_manager.py", line 248, in _search_lineages
    candidate_lineage = storage.RenewableCert(renewal_file, cli_config)
  File "/usr/lib/python3.6/site-packages/certbot/storage.py", line 412, in __init__
    self._check_symlinks()
  File "/usr/lib/python3.6/site-packages/certbot/storage.py", line 471, in _check_symlinks
    "expected {0} to be a symlink".format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/www.universal-genesis.net/cert.pem to be a symlink

2017-08-01 23:26:34,532:INFO:certbot.renewal:Cert not yet due for renewal
2017-08-01 23:26:37,247:INFO:certbot.main:Keeping the existing certificate
2017-08-01 23:26:37,248:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.universal-genesis.net-0001/fullchain.pem. Your cert will expire on 2017-10-30. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew"
2017-08-01 23:26:37,260:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/certbot/client.py", line 451, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/usr/lib/python3.6/site-packages/certbot_apache/configurator.py", line 245, in deploy_cert
    vhost = self.choose_vhost(domain)
  File "/usr/lib/python3.6/site-packages/certbot_apache/configurator.py", line 337, in choose_vhost
    vhost = self.make_vhost_ssl(vhost)
  File "/usr/lib/python3.6/site-packages/certbot_apache/configurator.py", line 861, in make_vhost_ssl
    "Could not reverse map the HTTPS VirtualHost to the original")
certbot.errors.PluginError: Could not reverse map the HTTPS VirtualHost to the original

2017-08-01 23:26:37,260:DEBUG:certbot.error_handler:Calling registered functions
2017-08-01 23:26:37,261:DEBUG:certbot.reporter:Reporting to user: Unable to install the certificate
2017-08-01 23:26:37,261:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.16.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 743, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 604, in run
    _install_cert(config, le_client, domains, new_lineage)
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 469, in _install_cert
    path_provider.cert_path, path_provider.chain_path, path_provider.fullchain_path)
  File "/usr/lib/python3.6/site-packages/certbot/client.py", line 451, in deploy_certificate
    fullchain_path=fullchain_path)
  File "/usr/lib/python3.6/site-packages/certbot_apache/configurator.py", line 245, in deploy_cert
    vhost = self.choose_vhost(domain)
  File "/usr/lib/python3.6/site-packages/certbot_apache/configurator.py", line 337, in choose_vhost
    vhost = self.make_vhost_ssl(vhost)
  File "/usr/lib/python3.6/site-packages/certbot_apache/configurator.py", line 861, in make_vhost_ssl
    "Could not reverse map the HTTPS VirtualHost to the original")
certbot.errors.PluginError: Could not reverse map the HTTPS VirtualHost to the original
18

@bmw, could you please take a look at this? I think maybe requests is thinking that the trusted certs are a directory when they’re really a file—but I have no idea why it only does that when called by Certbot, as opposed to when doing import requests.

However, @Redgard, the library you reinstalled is for python2, not python3, so it looks like it wouldn’t have fixed this problem because it appears python3 is being used to run Certbot. As a further test, could you try this?

python3 -c 'import requests; requests.get("https://acme-v01.api.letsencrypt.org/directory")'

(note the 3 is different from before :slight_smile:)

19

@Redgard, can you also try running:

pacman -S ca-certificates
20

So I tried:

pacman -S python

-> doesn’t work :confused:

pacman -S ca-certificates

-> doesn’t work :confused:

python3 -c 'import requests; requests.get("https://acme-v01.api.letsencrypt.org/directory")'

-> looks like worst? :confused:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: domain1.com
2: www.domain1.com
3: vps429820.ovh.net
4: universal-genesis.net
5: www.universal-genesis.net
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 5
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.universal-genesis.net-0001.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.universal-genesis.net
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: too many certificates already issued for exact set of domains: www.universal-genesis.net
Please see the logfiles in /var/log/letsencrypt for more details.
[root@vps429820 steam]# ^C
[root@vps429820 steam]#

Wrong logs - removed

could it be something i forgot to install at the very beginning?

21

Huh, but these logs are from several days ago according to the date stamp (and also not very consistent with the progress that Certbot says it’s making in its output). Are there no more recent logs?