Cant renew anymore - Debian 9.13 (stretch)

In a quite old installation (Debian 9.13), that was previously working, now have this problem, cant renew certs anymore .

certbot --apache renew fails with:

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Attempting to renew cert (www.coospral.com.ar) from /etc/letsencrypt/renewal/www.coospral.com.ar.conf produced an unexpected error: ("bad handshake: SysCallError(104, 'ECONNRESET')",). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www.coospral.com.ar-0001/fullchain.pem (failure)
/etc/letsencrypt/live/www.coospral.com.ar/fullchain.pem (failure)

Our domain is: www.coospral.com.ar

If I try:
curl --ipv4 -vvv https://acme-v02.api.letsencrypt.org/directory

I get:

TCP_NODELAY set
Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
TLSv1.2 (OUT), TLS header, Certificate Status (22):
[5 bytes data]
TLSv1.2 (OUT), TLS handshake, Client hello (1):
[512 bytes data]
Unknown SSL protocol error in connection to acme-v02.api.letsencrypt.org:443
Curl_http_done: called premature == 1
stopped the pause stream!

Thanks in advance

Javier

1 Like

Hi @jkohan, and welcome to the LE community forum :slight_smile:

Please show the output of:
traceroute -T -p 443 acme-v02.api.letsencrypt.org

4 Likes

traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 2-92-233-170.static.coospral.com.ar (170.233.92.2) 0.422 ms 0.623 ms 0.393 ms
2 29.64.209.181.in-addr.arpa (181.209.64.29) 3.966 ms 4.193 ms 4.039 ms
3 8-243-19-26.gblx.net.ar (8.243.19.26) 10.785 ms 10.908 ms 10.880 ms
4 8-243-19-25.gblx.net.ar (8.243.19.25) 12.854 ms 12.846 ms 12.788 ms
5 * * *
6 4.15.156.82 (4.15.156.82) 129.905 ms 130.619 ms 130.290 ms
7 172.70.52.2 (172.70.52.2) 142.118 ms 172.70.80.2 (172.70.80.2) 134.601 ms 172.70.52.2 (172.70.52.2) 142.051 ms
8 172.65.32.248 (172.65.32.248) 133.322 ms 128.979 ms 134.173 ms

That looks good.

Please show:
certbot certificates
certbot -v renew
cat /var/log/letsencrypt/letsencrypt.log

4 Likes

Two things to notice:
1-. I have another cert we do not use anymore because services were moved to other server (I should delete it but not for now, in case you need to test something with it).
2- DonĀ“t know why, the remaining cert (the one we need renewed) is set to be renewed in manual mode.

So I do what you requested but changing were aproppiate

a) certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
OCSP check failed for /etc/letsencrypt/live/www.coospral.com.ar/cert.pem (are we offline?)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.coospral.com.ar-0001
    Domains: www.coospral.com.ar coospral.com.ar
    Expiry Date: 2023-07-16 07:37:02+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/www.coospral.com.ar-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.coospral.com.ar-0001/privkey.pem
  Certificate Name: www.coospral.com.ar
    Domains: www.coospral.com.ar admin.coospral.com.ar pop.coospral.com.ar smtp.coospral.com.ar
    Expiry Date: 2019-05-08 23:24:27+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/www.coospral.com.ar/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.coospral.com.ar/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The second cert is the one we donĀ“t use anymore.

b) instead of "certbot -v renew" I execute "certbot -v --apache renew --cert-name www.coospral.com.ar-0001" that yields

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.coospral.com.ar-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Requested authenticator apache and installer apache
Var authenticator=apache (set by user).
Var installer=apache (set by user).
Should renew, less than 30 days before certificate expiry 2023-07-16 07:37:02 UTC.
Cert is due for renewal, auto-renewing...
Requested authenticator apache and installer apache
Apache version is 2.4.25
Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f47f2b70cf8>
Prep: True
Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f47f2b70cf8>
Prep: True
Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7f47f2b70cf8> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7f47f2b70cf8>
Plugins selected: Authenticator apache, Installer apache
Picked account: <Account(RegistrationResource(body=Registration(terms_of_service_agreed=None, agreement=None, status=None, contact=(), only_return_existing=None, key=None), new_authzr_uri=None
, terms_of_service=None, uri='https://acme-v02.api.letsencrypt.org/acme/acct/51068398'), 0c68964eaa7ac13adef6380395509740, Meta(creation_dt=datetime.datetime(2019, 2, 7, 19, 57, 15, tzinfo=<UT
C>), creation_host='web.coospral.com.ar'))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (www.coospral.com.ar-0001) from /etc/letsencrypt/renewal/www.coospral.com.ar-0001.conf produced an unexpected error: ("bad handshake: SysCallError(104, 'ECONNRESET')",
). Skipping.
Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1166, in _raise_ssl_error
    raise SysCallError(errno, errorcode.get(errno))
OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 337, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 327, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 624, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 443, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1166, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 611, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 248, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 51, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 825, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1154, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1103, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.coospral.com.ar-0001/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.coospral.com.ar-0001/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1247, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 468, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)

c) (truncated letsencrypt.log prior to doing this tests)

2023-07-17 14:06:42,124:DEBUG:certbot.main:certbot version: 0.28.0
2023-07-17 14:06:42,125:DEBUG:certbot.main:Arguments: []
2023-07-17 14:06:42,126:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-07-17 14:06:42,138:DEBUG:certbot.log:Root logging level set at 20
2023-07-17 14:06:42,139:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-07-17 14:06:42,161:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/www.coospral.com.ar-0001/cert.pem
2023-07-17 14:06:42,162:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/www.coospral.com.ar-0001/chain.pem -cert /etc/letsencrypt/live/www.coospral.com.ar-0001/cert.pem -url http://r3.o.lencr.org -CAfile /etc/letsencrypt/live/www.coospral.com.ar-0001/chain.pem -verify_other /etc/letsencrypt/live/www.coospral.com.ar-0001/chain.pem -trust_other -header Host=r3.o.lencr.org
2023-07-17 14:06:42,224:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/live/www.coospral.com.ar/cert.pem
2023-07-17 14:06:42,225:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/www.coospral.com.ar/chain.pem -cert /etc/letsencrypt/live/www.coospral.com.ar/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/www.coospral.com.ar/chain.pem -verify_other /etc/letsencrypt/live/www.coospral.com.ar/chain.pem -trust_other -header Host=ocsp.int-x3.letsencrypt.org
2023-07-17 14:06:42,262:DEBUG:certbot.ocsp:Error while running openssl ocsp -no_nonce -issuer /etc/letsencrypt/live/www.coospral.com.ar/chain.pem -cert /etc/letsencrypt/live/www.coospral.com.ar/cert.pem -url http://ocsp.int-x3.letsencrypt.org -CAfile /etc/letsencrypt/live/www.coospral.com.ar/chain.pem -verify_other /etc/letsencrypt/live/www.coospral.com.ar/chain.pem -trust_other -header Host=ocsp.int-x3.letsencrypt.org.

Error connecting BIO
Error querying OCSP responder
139638873165888:error:20087002:BIO routines:BIO_lookup:system lib:../crypto/bio/b_addr.c:694:Name or service not known

2023-07-17 14:06:42,262:INFO:certbot.ocsp:OCSP check failed for /etc/letsencrypt/live/www.coospral.com.ar/cert.pem (are we offline?)
2023-07-17 14:07:16,142:DEBUG:certbot.main:certbot version: 0.28.0
2023-07-17 14:07:16,143:DEBUG:certbot.main:Arguments: ['-v', '--apache', '--cert-name', 'www.coospral.com.ar-0001']
2023-07-17 14:07:16,144:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-07-17 14:07:16,156:DEBUG:certbot.log:Root logging level set at 10
2023-07-17 14:07:16,158:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2023-07-17 14:07:16,169:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2023-07-17 14:07:16,169:DEBUG:certbot.cli:Var authenticator=apache (set by user).
2023-07-17 14:07:16,169:DEBUG:certbot.cli:Var installer=apache (set by user).
2023-07-17 14:07:16,180:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2023-07-16 07:37:02 UTC.
2023-07-17 14:07:16,180:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2023-07-17 14:07:16,180:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2023-07-17 14:07:16,313:DEBUG:certbot_apache.configurator:Apache version is 2.4.25
2023-07-17 14:07:17,103:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f54fa47f4a8>
Prep: True
2023-07-17 14:07:17,110:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f54fa47f4a8>
Prep: True
2023-07-17 14:07:17,110:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7f54fa47f4a8> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7f54fa47f4a8>
2023-07-17 14:07:17,111:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2023-07-17 14:07:17,115:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(only_return_existing=None, terms_of_service_agreed=None, key=None, status=None, contact=(), agreement=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/51068398', new_authzr_uri=None, terms_of_service=None), 0c68964eaa7ac13adef6380395509740, Meta(creation_dt=datetime.datetime(2019, 2, 7, 19, 57, 15, tzinfo=<UTC>), creation_host='web.coospral.com.ar'))>
2023-07-17 14:07:17,118:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-07-17 14:07:17,126:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2023-07-17 14:07:17,297:WARNING:certbot.renewal:Attempting to renew cert (www.coospral.com.ar-0001) from /etc/letsencrypt/renewal/www.coospral.com.ar-0001.conf produced an unexpected error: ("bad handshake: SysCallError(104, 'ECONNRESET')",). Skipping.
2023-07-17 14:07:17,301:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1166, in _raise_ssl_error
    raise SysCallError(errno, errorcode.get(errno))
OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 337, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 327, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 624, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 443, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1166, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 611, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 248, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 51, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 825, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1154, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1103, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

2023-07-17 14:07:17,307:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2023-07-17 14:07:17,308:ERROR:certbot.renewal:  /etc/letsencrypt/live/www.coospral.com.ar-0001/fullchain.pem (failure)
2023-07-17 14:07:17,308:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1247, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 468, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

The first cert overlaps the name in the second cert.
You should delete the second cert:
certbot delete --cert-name www.coospral.com.ar
[be sure it is not is use anywhere first]

That output may not be as helpful as the output of:
certbot -v renew
That said, I can see some troubles:
OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')

Error querying OCSP responder
139638873165888:error:20087002:BIO routines:BIO_lookup:system lib:../crypto/bio/b_addr.c:694:Name or service not known

Please show:
certbot --version

5 Likes

certbot 0.28.0

certbot -v renew

Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.coospral.com.ar-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Requested authenticator <certbot.cli._Default object at 0x7f77e2675a20> and installer <certbot.cli._Default object at 0x7f77e2675a20>
Should renew, less than 30 days before certificate expiry 2023-07-16 07:37:02 UTC.
Cert is due for renewal, auto-renewing...
Requested authenticator apache and installer apache
Apache version is 2.4.25
Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f77e2672780>
Prep: True
Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7f77e2672780>
Prep: True
Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7f77e2672780> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7f77e2672780>
Plugins selected: Authenticator apache, Installer apache
Picked account: <Account(RegistrationResource(terms_of_service=None, body=Registration(only_return_existing=None, contact=(), terms_of_service_agreed=None, status=None, agreement=None, key=None), new_authzr_uri=None, uri='https://acme-v02.api.letsencrypt.org/acme/acct/51068398'), 0c68964eaa7ac13adef6380395509740, Meta(creation_host='web.coospral.com.ar', creation_dt=datetime.datetime(2019, 2, 7, 19, 57, 15, tzinfo=<UTC>)))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (www.coospral.com.ar-0001) from /etc/letsencrypt/renewal/www.coospral.com.ar-0001.conf produced an unexpected error: ("bad handshake: SysCallError(104, 'ECONNRESET')",). Skipping.
Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1166, in _raise_ssl_error
    raise SysCallError(errno, errorcode.get(errno))
OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 337, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 327, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 624, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 443, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1166, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 611, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 248, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 51, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 825, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1154, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1103, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.coospral.com.ar.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Should renew, less than 30 days before certificate expiry 2019-05-08 23:24:27 UTC.
Cert is due for renewal, auto-renewing...
Requested authenticator manual and installer None
Other error:(PluginEntryPoint#manual): An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/plugins/disco.py", line 132, in prepare
    self._initialized.prepare()
  File "/usr/lib/python3/dist-packages/certbot/plugins/manual.py", line 133, in prepare
    self.option_name('auth-hook')))
certbot.errors.PluginError: An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.
No candidate plugin
Selected authenticator None and installer None
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (www.coospral.com.ar) from /etc/letsencrypt/renewal/www.coospral.com.ar.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.
Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 443, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1162, in renew_cert
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/usr/lib/python3/dist-packages/certbot/plugins/selection.py", line 237, in choose_configurator_plugins
    diagnose_configurator_problem("authenticator", req_auth, plugins)
  File "/usr/lib/python3/dist-packages/certbot/plugins/selection.py", line 341, in diagnose_configurator_problem
    raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.coospral.com.ar-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/www.coospral.com.ar/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.coospral.com.ar-0001/fullchain.pem (failure)
  /etc/letsencrypt/live/www.coospral.com.ar/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1247, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 468, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 2 renew failure(s), 0 parse failure(s)
2 renew failure(s), 0 parse failure(s)

Did you see "curl --ipv4 -vvv https://acme-v02.api.letsencrypt.org/directory" output in the first message ? WasnĀ“t it of any help ? I guessed the problem had something to do with TLS or cipher that has lost support.

That is extremely old.
You should upgrade it.
See: Certbot (eff.org)

5 Likes

Can you use curl to access other sites? (Google, Amazon, Wikipedia, or some other popular site where it's pretty likely that they're not the one with the problem)

5 Likes

It seems that during the last renewal the authentication was done manually.
Do you recall the last renewal?
Do you recall why you did it manually?

4 Likes

Yup Google has no issue, for example.

How about curl to these?

  • https://helloworld.letsencrypt.org/
  • https://valid-isrgrootx1.letsencrypt.org/
  • https://acme-staging-v02.api.letsencrypt.org/directory

(Not that I'm sure what to do with that information one way or the other, but it seems like it might be useful.)

4 Likes

That was other guy who no longer works with us, so I donĀ“t have idea.

About certbot version, that was de one installed with debian 9 ( I think was installed directly from debian repositories). Now, after you told me to upgrade, I can see certbot instructions say to install snap. IĀ“ll try that.
Question: I can uninstall only executables, install snapo version and expect new certbot to take over old configuration so I donĀ“t need to "clean" le and apacheĀ“s "sites-enabled/*le-ssl.conf" files ?
Thank you very much for your help.
Javier

2 Likes

Yes, if you uninstall the version you have, and install a newer version, it should be able to pick up where the older one left off. Just don't have more than one version of certbot installed at once, as that can get it confused pretty good.

If snap doesn't work for you, you might try the pip instructions instead; sometimes (I think often) that's easier to install.

But upgrading certbot, as good idea as it is, really won't help you if your problem is connectivity to Let's Encrypt's servers.

4 Likes

Works.
IĀ“ll go ahead with the upgrade and let you all know how it goes.
Thanks

2 Likes

Please give us the output of this SSL command. I suspect this may be caused by old openssl library.

openssl ciphers -V \
'ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH'

and

openssl version
3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.