Attempting to renew cert from /etc/letsencrypt/renewal/cyberschool.idfinance.com.conf produced an unexpected error

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cyberschool.idfinance.com

I ran this command: certbot renew

It produced this output: Attempting to renew cert (cyberschool.idfinance.com) from /etc/letsencrypt/renewal/cyberschool.idfinance.com.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: SysCallError(104, 'ECONNRESET')"))). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/cyberschool.idfinance.com/fullchain.pem (failure)

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

1 Like
2

Hi @Ann27. welcome to the LE community forum :slight_smile:

It looks like one of two things:

  1. Your IP is being blocked by LE
    Please provide the Internet IP used by your server.
    [Presumably: 5.188.198.162]
    @lestaff please check this IP.
  2. Your system can't reach LE [for some other reason(s)]
    Please show the outputs of:
    curl -I https://acme-v02.api.letsencrypt.org/directory
    curl -I https://google.com/
1 Like
3

We're not blocking that IP address.

3 Likes
4

Hello! @rg305
The output of curl -I https://acme-v02.api.letsencrypt.org/directory

curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to acme-v02.api.letsencrypt.org:443

The output of curl -I https://google.com/

HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
date: Sun, 19 Sep 2021 16:34:59 GMT
expires: Tue, 19 Oct 2021 16:34:59 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"

5

Please show the output of:
curl -4 ifconfig.co

6

The output is 5.188.198.162

7

Please show the output of:
curl -vkIis https://acme-v02.api.letsencrypt.org/directory

8

The output is following

  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...
  • TCP_NODELAY set
  • Connected to acme-v02.api.letsencrypt.org (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • OpenSSL SSL_connect: Connection reset by peer in connection to acme-v02.api.letsencrypt.org:443
  • Closing connection 0
9

Hm, you're trying to connect to the IPv6 address. Maybe IPv6 is the issue? Can you try the command again, but now force IPv4?:

curl -vkIis4 https://acme-v02.api.letsencrypt.org/directory
1 Like
10

Hi!
The output is following

  • Trying 172.65.32.248:443...
  • TCP_NODELAY set
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: CN=acme-v01.api.letsencrypt.org
  • start date: Aug 18 15:37:51 2021 GMT
  • expire date: Nov 16 15:37:49 2021 GMT
  • issuer: C=US; O=Let's Encrypt; CN=R3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x55ab8e2d5880)

HEAD /directory HTTP/2
Host: acme-v02.api.letsencrypt.org
user-agent: curl/7.68.0
accept: /

  • Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
    < HTTP/2 200
    HTTP/2 200
    < server: nginx
    server: nginx
    < date: Mon, 20 Sep 2021 08:32:46 GMT
    date: Mon, 20 Sep 2021 08:32:46 GMT
    < content-type: application/json
    content-type: application/json
    < content-length: 658
    content-length: 658
    < cache-control: public, max-age=0, no-cache
    cache-control: public, max-age=0, no-cache
    < replay-nonce: 0002CDYrmnB_WkbbVciaVZM_4SgTSePCru0yjCkn03WCPkc
    replay-nonce: 0002CDYrmnB_WkbbVciaVZM_4SgTSePCru0yjCkn03WCPkc
    < x-frame-options: DENY
    x-frame-options: DENY
    < strict-transport-security: max-age=604800
    strict-transport-security: max-age=604800

<

11

So IPv4 works, but IPv6 does not..

As it's a Cloudflare IPv6 endpoint, we can assume changes aren't that big that it's an issue at Cloudflare, which leaves the options of an IPv6 issue at your side or in between.

However, your curl command to google.com would probably also use IPv6? And that one worked..

Maybe the IPv6 IP address of your server has been blocked?

Could you perhaps try the command curl -6 ifconfig.co and let @JamesLE check that address?

1 Like
12

Tried the command and the output:

curl: (56) Recv failure: Connection reset by peer

13

Hm, that suggests there's something wrong with your IPv6 connectivity. That's something you should check and fix and isn't Let's Encrypt related I'm afraid.

1 Like
14

Ok, thanks!
We will check it.

1 Like
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.