Auto-SSL failed -- GET request

work.nupur · May 7, 2022, 5:32am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: multiple domains

I ran this command: Auto-SSL from WHM v.100.0.9

It produced this output:
10:22:13 AM WARN Cpanel::Exception/(XID mv7j76) The system failed to send an HTTP “GET” request to “https://acme-v02.api.letsencrypt.org/directory” because of an error: SSL connection failed for acme-v02.api.letsencrypt.org: hostname verification failed

My web server is (include version):

The operating system my web server runs on is (include version): CentOS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): No Command Found

work.nupur · May 7, 2022, 5:33am

curl -Ik acme-v02.api.letsencrypt.org
HTTP/1.1 403 Forbidden
Connection: close
Content-Type: text/html
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors
Content-Length: 1561

mcpherrinm · May 7, 2022, 5:36am

Can you try curl -v https://acme-v02.api.letsencrypt.org

work.nupur · May 7, 2022, 5:37am

yes.. i was expecting this question, so I have posted the result of it..

Please help me out server is running with no website for all users due to cert is expired yest.

mcpherrinm · May 7, 2022, 5:38am

Please include the -v flag and do not use the -k flag

work.nupur · May 7, 2022, 5:38am

Here it is

* About to connect() to acme-v02.api.letsencrypt.org port 80 (#0)
*   Trying 208.91.112.55...
* Connected to acme-v02.api.letsencrypt.org (208.91.112.55) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: acme-v02.api.letsencrypt.org
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Connection: close
< Content-Type: text/html
< Cache-Control: no-cache
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Content-Security-Policy: frame-ancestors
< Content-Length: 1561
<
<!-- IE friendly error message walkround.
     if error message from server is less than
     512 bytes IE v5+ will use its own error
     message instead of the one returned by
     server.                                 -->






<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><style type="text/css">html,body{height:100%;padding:0;margin:0;}.oc{display:table;width:100%;height:100%;}.ic{display:table-cell;vertical-align:middle;height:100%;}div.msg{display:block;border:1px solid #30c;padding:0;width:500px;font-family:helvetica,sans-serif;margin:10px auto;}h1{font-weight:bold;color:#fff;font-size:14px;margin:0;padding:2px;text-align:center;background: #30c;}p{font-size:12px;margin:15px auto;width:75%;font-family:helvetica,sans-serif;text-align:left;}</style><title>Web Application Firewall</title></head><body><div class="oc"><div class="ic"><div class="msg"><h1>Web Application Firewall</h1><p><p>The transfer has triggered a Web Application Firewall.</p>
<p>
     This transfer is blocked.
     URL: http://acme-v02.api.letsencrypt.org/<br />
     <br/>Event ID :  110000003
     <br/>Event Type:  signature
</p></p></div></div></div></body></html>
* Closing connection 0

mcpherrinm · May 7, 2022, 5:42am

The IP address being resolved is 208.91.112.55 which is not a Let’s Encrypt IP. It belongs to the company Fortinet. It appears you may have some sort of internet filter which is blocking your outgoing request.

rg305 · May 7, 2022, 5:43am

Agreed, is there a Fortigate firewall inline?

work.nupur · May 7, 2022, 5:45am

nslookup acme-v02.api.letsencrypt.org
Server: 103.106.X.X
Address: 103.106.X.X#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org canonical name = ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name: ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 208.91.112.55
;; Got SERVFAIL reply from 103.106.21.170, trying next server
;; Got SERVFAIL reply from 127.0.0.1, trying next server
** server can't find ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com: NXDOMAIN

rg305 · May 7, 2022, 5:53am

Try these DNS servers:
nslookup acme-v02.api.letsencrypt.org 1.1.1.1
nslookup acme-v02.api.letsencrypt.org 4.2.2.2
nslookup acme-v02.api.letsencrypt.org 8.8.8.8
nslookup acme-v02.api.letsencrypt.org 9.9.9.9

rg305 · May 7, 2022, 5:59am

The IP returned may indicate that FortiGuard has miscategorized the FQDN:

Name:    fortinet-block-page-55.fortinet.com
Address: 208.91.112.55

9peppe · May 7, 2022, 6:08am

Or maybe not, and the IT staff is using the firewall to enforce policy, where a CAA record would suffice.

rg305 · May 7, 2022, 6:14am

I'd like to read the verbiage on that "company" policy.
Sounds more like a misconfiguration OR an overzealous firewall admin.
[if NOT a mis-categorization by Fortinet]

9peppe · May 7, 2022, 6:18am

F*ck you!

-- BOFH

rg305 · May 7, 2022, 6:19am

system · June 6, 2022, 6:20am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.