Can't connect to Let's Encrypt server


#1

My domain is: wesain.fi

I ran this command: sh /root/.acme.sh/acme.sh --home /root/.acme.sh/cwp_certs --issue -d www.wesain.fi -d wesain.fi -w /usr/local/apache/autossl_tmp --debug 2

It produced this output:
[Tue Nov 13 13:36:55 EET 2018] Lets find script dir.
[Tue Nov 13 13:36:55 EET 2018] SCRIPT=’/root/.acme.sh/acme.sh’
[Tue Nov 13 13:36:55 EET 2018] _script=’/root/.acme.sh/acme.sh’
[Tue Nov 13 13:36:55 EET 2018] _script_home=’/root/.acme.sh’
[Tue Nov 13 13:36:55 EET 2018] Using config home:/root/.acme.sh/cwp_certs
[Tue Nov 13 13:36:55 EET 2018] LE_WORKING_DIR=’/root/.acme.sh/cwp_certs’


v2.7.9
[Tue Nov 13 13:36:55 EET 2018] _main_domain=‘www.wesain.fi
[Tue Nov 13 13:36:55 EET 2018] _alt_domains=‘wesain.fi
[Tue Nov 13 13:36:55 EET 2018] Using config home:/root/.acme.sh/cwp_certs
[Tue Nov 13 13:36:55 EET 2018] ACME_DIRECTORY=‘https://acme-v01.api.letsencrypt.org/directory
[Tue Nov 13 13:36:55 EET 2018] _ACME_SERVER_HOST=‘acme-v01.api.letsencrypt.org
[Tue Nov 13 13:36:55 EET 2018] DOMAIN_PATH=’/root/.acme.sh/cwp_certs/www.wesain.fi’
[Tue Nov 13 13:36:55 EET 2018] ‘/usr/local/apache/autossl_tmp’ does not contain ‘dns’
[Tue Nov 13 13:36:55 EET 2018] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Tue Nov 13 13:36:55 EET 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Nov 13 13:36:55 EET 2018] GET
[Tue Nov 13 13:36:55 EET 2018] url=‘https://acme-v01.api.letsencrypt.org/directory
[Tue Nov 13 13:36:55 EET 2018] timeout=
[Tue Nov 13 13:36:55 EET 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/cwp_certs/http.header --trace-ascii /tmp/tmp.RDmPE4KpLf -g ’
[Tue Nov 13 13:37:52 EET 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Tue Nov 13 13:37:52 EET 2018] Here is the curl dump log:
[Tue Nov 13 13:37:52 EET 2018] == Info: About to connect() to acme-v01.api.letsencrypt.org port 443 (#0)
== Info: Trying 104.122.249.164…
== Info: Connected to acme-v01.api.letsencrypt.org (104.122.249.164) port 443 (#0)
== Info: Initializing NSS with certpath: sql:/etc/pki/nssdb
== Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
== Info: NSS error -5961 (PR_CONNECT_RESET_ERROR)
== Info: TCP connection reset by peer
== Info: Closing connection 0

Can’t paste any more because of link number restrictions

My web server is (include version): Apache/2.4.34

The operating system my web server runs on is (include version): CentOS 7.5.1804

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): CWPpro version: 0.9.8.740

Hello.

I’m trying to generate a certificate to a domain wesain.fi, but I’m running into problems. I’ve been using AutoSSL in CWP, and it has worked before, but now it doesn’t work with any domain.

I tried generating the certificate with the command in the beginning, and it failed as well.

Can you help me with this problem please?


#2

Continuing:

[Tue Nov 13 13:37:52 EET 2018] ret=‘35’
[Tue Nov 13 13:37:52 EET 2018] response
[Tue Nov 13 13:37:52 EET 2018] Can not init api.
[Tue Nov 13 13:37:52 EET 2018] Le_NextRenewTime
[Tue Nov 13 13:37:52 EET 2018] _on_before_issue
[Tue Nov 13 13:37:52 EET 2018] _chk_main_domain=‘www.wesain.fi
[Tue Nov 13 13:37:52 EET 2018] _chk_alt_domains=‘wesain.fi
[Tue Nov 13 13:37:52 EET 2018] ‘/usr/local/apache/autossl_tmp’ does not contain ‘no’
[Tue Nov 13 13:37:52 EET 2018] Le_LocalAddress
[Tue Nov 13 13:37:52 EET 2018] d=‘www.wesain.fi
[Tue Nov 13 13:37:52 EET 2018] Check for domain=‘www.wesain.fi
[Tue Nov 13 13:37:52 EET 2018] _currentRoot=’/usr/local/apache/autossl_tmp’
[Tue Nov 13 13:37:52 EET 2018] d=‘wesain.fi
[Tue Nov 13 13:37:52 EET 2018] Check for domain=‘wesain.fi
[Tue Nov 13 13:37:52 EET 2018] _currentRoot=’/usr/local/apache/autossl_tmp’
[Tue Nov 13 13:37:52 EET 2018] d
[Tue Nov 13 13:37:52 EET 2018] ‘/usr/local/apache/autossl_tmp’ does not contain ‘apache’
[Tue Nov 13 13:37:52 EET 2018] _saved_account_key_hash=‘iRBuswjMzAF0AkgxrlLTvIe08Vy28coDJAKoW9hrky4=’
[Tue Nov 13 13:37:52 EET 2018] _saved_account_key_hash is not changed, skip register account.
[Tue Nov 13 13:37:52 EET 2018] Read key length:
[Tue Nov 13 13:37:52 EET 2018] _createcsr
[Tue Nov 13 13:37:52 EET 2018] domain=‘www.wesain.fi
[Tue Nov 13 13:37:52 EET 2018] domainlist=‘wesain.fi
[Tue Nov 13 13:37:52 EET 2018] csrkey=’/root/.acme.sh/cwp_certs/www.wesain.fi/www.wesain.fi.key’
[Tue Nov 13 13:37:52 EET 2018] csr=’/root/.acme.sh/cwp_certs/www.wesain.fi/www.wesain.fi.csr’
[Tue Nov 13 13:37:52 EET 2018] csrconf=’/root/.acme.sh/cwp_certs/www.wesain.fi/www.wesain.fi.csr.conf’
[Tue Nov 13 13:37:52 EET 2018] _is_idn_d=‘wesain.fi
[Tue Nov 13 13:37:52 EET 2018] _idn_temp
[Tue Nov 13 13:37:52 EET 2018] domainlist=‘wesain.fi
[Tue Nov 13 13:37:52 EET 2018] Multi domain=‘DNS:www.wesain.fi,DNS:wesain.fi’
[Tue Nov 13 13:37:52 EET 2018] _is_idn_d=‘www.wesain.fi
[Tue Nov 13 13:37:52 EET 2018] _idn_temp
[Tue Nov 13 13:37:52 EET 2018] _csr_cn=‘www.wesain.fi
[Tue Nov 13 13:37:52 EET 2018] Getting domain auth token for each domain
[Tue Nov 13 13:37:52 EET 2018] d=‘www.wesain.fi
[Tue Nov 13 13:37:52 EET 2018] Getting webroot for domain=‘www.wesain.fi
[Tue Nov 13 13:37:52 EET 2018] _w=’/usr/local/apache/autossl_tmp’
[Tue Nov 13 13:37:52 EET 2018] _currentRoot=’/usr/local/apache/autossl_tmp’
[Tue Nov 13 13:37:52 EET 2018] Getting new-authz for domain=‘www.wesain.fi
[Tue Nov 13 13:37:52 EET 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Nov 13 13:37:52 EET 2018] GET
[Tue Nov 13 13:37:52 EET 2018] url=‘https://acme-v01.api.letsencrypt.org/directory
[Tue Nov 13 13:37:52 EET 2018] timeout=
[Tue Nov 13 13:37:52 EET 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/cwp_certs/http.header --trace-ascii /tmp/tmp.emueEfGxhO -g ’
[Tue Nov 13 13:38:47 EET 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Tue Nov 13 13:38:47 EET 2018] Here is the curl dump log:
[Tue Nov 13 13:38:47 EET 2018] == Info: About to connect() to acme-v01.api.letsencrypt.org port 443 (#0)
== Info: Trying 104.122.249.164…
== Info: Connected to acme-v01.api.letsencrypt.org (104.122.249.164) port 443 (#0)
== Info: Initializing NSS with certpath: sql:/etc/pki/nssdb
== Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
== Info: NSS error -5961 (PR_CONNECT_RESET_ERROR)
== Info: TCP connection reset by peer
== Info: Closing connection 0


#3

[Tue Nov 13 13:38:47 EET 2018] ret=‘35’
[Tue Nov 13 13:38:47 EET 2018] response
[Tue Nov 13 13:38:47 EET 2018] Can not init api.
[Tue Nov 13 13:38:47 EET 2018] Try new-authz for the 0 time.
[Tue Nov 13 13:38:47 EET 2018] _is_idn_d=‘www.wesain.fi
[Tue Nov 13 13:38:47 EET 2018] _idn_temp
[Tue Nov 13 13:38:47 EET 2018] url
[Tue Nov 13 13:38:47 EET 2018] payload=’{“resource”: “new-authz”, “identifier”: {“type”: “dns”, “value”: “www.wesain.fi”}}’
[Tue Nov 13 13:38:47 EET 2018] RSA key
[Tue Nov 13 13:38:47 EET 2018] Get nonce. ACME_DIRECTORY=‘https://acme-v01.api.letsencrypt.org/directory
[Tue Nov 13 13:38:47 EET 2018] GET
[Tue Nov 13 13:38:47 EET 2018] url=‘https://acme-v01.api.letsencrypt.org/directory
[Tue Nov 13 13:38:47 EET 2018] timeout=
[Tue Nov 13 13:38:47 EET 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/cwp_certs/http.header --trace-ascii /tmp/tmp.yd9F8mv2Ea -g ’
[Tue Nov 13 13:39:41 EET 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Tue Nov 13 13:39:41 EET 2018] Here is the curl dump log:
[Tue Nov 13 13:39:41 EET 2018] == Info: About to connect() to acme-v01.api.letsencrypt.org port 443 (#0)
== Info: Trying 104.122.249.164…
== Info: Connected to acme-v01.api.letsencrypt.org (104.122.249.164) port 443 (#0)
== Info: Initializing NSS with certpath: sql:/etc/pki/nssdb
== Info: CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
== Info: NSS error -5961 (PR_CONNECT_RESET_ERROR)
== Info: TCP connection reset by peer
== Info: Closing connection 0
[Tue Nov 13 13:39:41 EET 2018] ret=‘35’
[Tue Nov 13 13:39:41 EET 2018] Can not connect to https://acme-v01.api.letsencrypt.org/directory to get nonce.
[Tue Nov 13 13:39:41 EET 2018] Can not get domain new authz.
[Tue Nov 13 13:39:41 EET 2018] pid
[Tue Nov 13 13:39:41 EET 2018] No need to restore nginx, skip.
[Tue Nov 13 13:39:41 EET 2018] _clearupdns
[Tue Nov 13 13:39:41 EET 2018] skip dns.
[Tue Nov 13 13:39:41 EET 2018] _on_issue_err
[Tue Nov 13 13:39:41 EET 2018] Please add ‘–debug’ or ‘–log’ to check more details.
[Tue Nov 13 13:39:41 EET 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Tue Nov 13 13:39:41 EET 2018] _chk_vlist
[Tue Nov 13 13:39:41 EET 2018] socat doesn’t exists.
[Tue Nov 13 13:39:41 EET 2018] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2k-fips 26 Jan 2017
apache:
apache doesn’t exists.
nginx:
nginx doesn’t exists.
socat:


#4

I also tried to connect to acme-v01.api.letsencrypt.org/directory with wget and curl, and neither worked with the following results:

curl https://acme-v01.api.letsencrypt.org/directory

curl: (35) TCP connection reset by peer

wget https://acme-v01.api.letsencrypt.org/directory

–2018-11-13 13:42:32-- https://acme-v01.api.letsencrypt.org/directory
Resolving acme-v01.api.letsencrypt.org (acme-v01.api.letsencrypt.org)… 104.122.249.164, 2a02:26f0:e2:188::3a8e, 2a02:26f0:e2:184::3a8e
Connecting to acme-v01.api.letsencrypt.org (acme-v01.api.letsencrypt.org)|104.122.249.164|:443… connected.
Unable to establish SSL connection.

Any help is appreciated.


#5

Hi @Solsku

you have an older cPanel - certificate.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:true;include_subdomains:false;domain:wesain.fi&lu=cert_search

If you have a cPanel, such tools like certbot or acme.sh may not work. Isn’t it possible to use cPanel to create a certificate?


#6

We are using CentOS Web Panel, and normally we use its built-in AutoSSL tool to get Let’s Encrypt certificates, which has worked before. I used acme.sh directly for debugging purposes.

Here’s a log entry from AutoSSL:
AutoSSL Issue Failed![Mon Nov 12 08:47:03 EET 2018] Please refer to https://curl
.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Mon Nov 12 08:47:03 EET 2018] Can not init api.
[Mon Nov 12 08:47:03 EET 2018] Single domain=‘wesain.fi
[Mon Nov 12 08:47:03 EET 2018] Getting domain auth token for each domain
[Mon Nov 12 08:47:03 EET 2018] Getting webroot for domain=‘wesain.fi
[Mon Nov 12 08:47:03 EET 2018] Getting new-authz for domain=‘wesain.fi
[Mon Nov 12 08:47:58 EET 2018] Please refer to https://curl.haxx.se/libcurl/c/li
bcurl-errors.html for error code: 35
[Mon Nov 12 08:47:58 EET 2018] Can not init api.
[Mon Nov 12 08:48:53 EET 2018] Please refer to https://curl.haxx.se/libcurl/c/li
bcurl-errors.html for error code: 35
[Mon Nov 12 08:48:53 EET 2018] Can not connect to https://acme-v01.api.letsencry
pt.org/directory to get nonce.
[Mon Nov 12 08:48:53 EET 2018] Can not get domain new authz.
[Mon Nov 12 08:48:53 EET 2018] Please check log file for more details: /root/.ac
me.sh/acme.sh.log


#7

What Curl-version do you use? Plesk-Support says:

Cause

Outdated version of the cURL package.

Resolution

Update the cURL package to the latest version:


#8

curl --version

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.34 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets


#9

Outdated and full with security holes:

https://curl.haxx.se/docs/vuln-7.29.0.html

curl version 7.29.0 was released on February 6 2013 . The following 46 security problems are known to exist in this version.


#10

I updated curl to version 7.62, and updated it’s dependancies as well. The problem went away from another similar server of ours, but it still persists on the original server.

EDIT:
Never mind, the problem came back to the other server.


#11

Error code 35 says:

CURLE_SSL_CONNECT_ERROR (35)

A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.

So try a manual use of curl with the -v option. Looks like your server has a deprecated configuration.


#12

Hi,

Have you tried to update all server softwares from your system repo?

Also, please try to use curl -vvvv -I -L https://acme-v01.api.letsencrypt.org/directory and share us the full outputs in an online text bin service link (such as Pastebin.com)

Thank you


#13

Yes, we have updated everything.

curl -vvvv -I -L https://acme-v01.api.letsencrypt.org/directory

  • Trying 104.122.249.164…
  • TCP_NODELAY set
  • Connected to acme-v01.api.letsencrypt.org (104.122.249.164) port 443 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: none
    CApath: none
  • loaded libnssckbi.so
  • NSS error -5961 (PR_CONNECT_RESET_ERROR)
  • TCP connection reset by peer
  • Closing connection 0
    curl: (35) TCP connection reset by peer

#14

Tried using openssl, with command “openssl s_client -connect acme-v01.api.letsencrypt.org:443” and received “write:errno=104”. Other server, which works (sometimes) didn’t receive it.


#15

If you have this 35 error, your settings are looking broken.

Try to load the Ssllabs - client test

https://www.ssllabs.com/ssltest/viewMyClient.html

via your curl and save the output. There may be informations about your protocol and your cipher suite.


#16

If I understood you correctly, I ran “curl https://www.ssllabs.com/ssltest/viewMyClient.html” from the command line. I then ran the same command on another CWP-server, which has AutoSSL working. I saved both results in .html-file and compared them, and they were identical.

I also tested “curl --insecure https://acme-v01.api.letsencrypt.org/directory”, still getting

  • NSS error -5961 (PR_CONNECT_RESET_ERROR)
  • TCP connection reset by peer
  • Closing connection 0
    curl: (35) TCP connection reset by peer

#17

Try either of these in /etc/hosts:

104.107.50.145     acme-v01.api.letsencrypt.org

or

104.99.241.117     acme-v01.api.letsencrypt.org

(not a reliable solution, but can pin the cause down/can be a workaround for 1 day)


#18

Thank you!

The first one connected succesfully with curl, and AutoSSL started to work as well.

Any idea how to fix the issue in the long run? Both servers tried to connect to the same IP address with curl (104.122.249.164).


#19

I don’t, sorry. More or less every month there is a user or two who have problems with the specific Akamai servers that are closest to them, for whom that workaround helps.

However, in the years that this has been happening, I’ve never seen anybody been able to pin it down and debugging on both ends has been fruitless.

If it affects your entire network, perhaps you can get your NOC look into it. If it only affects a single server, then I have no idea.


#20

There were problems on multiple servers at one point, but all the others started to work on their own. For now it’s only been a single server with this issue (that we know of).