Certbot error when trying to generate a first certificate

Hello
I have some problems to generate a first certificate on CentOS 7.
I already had problems installing certbot with yum, so I decided to install it with pip/python3

When I run
sudo /usr/local/bin/certbot certonly --nginx -d sicpa-interop-recette.inra.fr
I get the following error message:
requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))

Here are the contents of my letsencrypt.log file:

2021-09-07 08:58:12,480:DEBUG:certbot._internal.main:certbot version: 1.18.0
2021-09-07 08:58:12,482:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2021-09-07 08:58:12,482:DEBUG:certbot._internal.main:Arguments: ['--manual', '-d', 'sicpa-interop-recette.inra.fr', '-v']
2021-09-07 08:58:12,483:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-09-07 08:58:12,499:DEBUG:certbot._internal.log:Root logging level set at 20
2021-09-07 08:58:12,500:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2021-09-07 08:58:12,506:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: Authenticator, Plugin
Entry point: manual = certbot._internal.plugins.manual:Authenticator
Initialized: <certbot._internal.plugins.manual.Authenticator object at 0x7f1ca5812dd8>
Prep: True
2021-09-07 08:58:12,507:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.manual.Authenticator object at 0x7f1ca5812dd8> and installer None
2021-09-07 08:58:12,507:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator manual, Installer None
2021-09-07 08:58:20,106:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-09-07 08:58:20,114:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-09-07 08:58:20,418:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 706, in urlopen
    chunked=chunked,
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 421, in connect
    tls_in_tls=tls_in_tls,
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 450, in ssl_wrap_socket
    sock, context, tls_in_tls, server_hostname=server_hostname
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib64/python3.6/ssl.py", line 776, in __init__
    self.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
    self._sslobj.do_handshake()
ConnectionResetError: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 756, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/retry.py", line 532, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python3.6/site-packages/urllib3/packages/six.py", line 769, in reraise
    raise value.with_traceback(tb)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 706, in urlopen
    chunked=chunked,
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 421, in connect
    tls_in_tls=tls_in_tls,
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 450, in ssl_wrap_socket
    sock, context, tls_in_tls, server_hostname=server_hostname
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib64/python3.6/ssl.py", line 776, in __init__
    self.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
    self._sslobj.do_handshake()
urllib3.exceptions.ProtocolError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.6/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py", line 1566, in main
    return config.func(config, plugins)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py", line 1408, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py", line 756, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/main.py", line 674, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py", line 182, in register
    acme = acme_from_config_key(config, key)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py", line 46, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 835, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 1179, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 1128, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 498, in send
    raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))
2021-09-07 08:58:20,425:ERROR:certbot._internal.log:An unexpected error occurred:
2021-09-07 08:58:20,426:ERROR:certbot._internal.log:requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))```

Could you tell me what I'm doing wrong here?

Thank you very much
Thierry

-----------------------------------------------------------

My domain is : sicpa-interop-recette.inra.fr

I ran this command : sudo /usr/local/bin/certbot certonly --nginx -d sicpa-interop-recette.inra.fr

It produced this output : requests.exceptions.ConnectionError: ('Connection aborted.', ConnectionResetError(104, 'Connection reset by peer'))

My web server is (include version) : nginx/1.20.1

The operating system my web server runs on is (include version) : CentOS Linux release 7.9.2009

I can login to a root shell on my machine (yes or no, or I don't know) : yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel) : no

The version of my client is (e.g. output of `certbot --version` or `certbot-auto --version` if you're using Certbot) : certbot 1.18.0

My python version : Python 3.6.8

What is the output of this command:

curl -v -m10 https://acme-v02.api.letsencrypt.org/directory

Additionally, what is the IP address of your server?

Hello _az and thank for your help

$ curl -v -m10 https://acme-v02.api.letsencrypt.org/directory
* About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
*   Trying 172.65.32.248...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer

IP : 138.102.164.199

Note : The VM DNS has changed this afternoon to respect the internal nomenclature and is now : sicpa-interop-recette.cati.inrae.fr

@lestaff could we please get a check on 138.102.164.199 for an IP address block?

Can you access other sites from the server? Like

curl -v -m10 https://google.com

(Maybe even pick a few highly-unlikely-to-be-down servers.)

It doesn't look like we've been blocking this IP address.

@theirman one thing you could try is to temporarily lower the MTU on your network interface and try the curl command again.

If it makes a difference, you could consider making the change permanent. Otherwise, you can set it back to 1500.

The command will be something like:

sudo ifconfig eth0 mtu 1360

or

sudo ip link set dev eth0 mtu 1360

(substituting eth0 for whatever your main network interface is called).

@petercooperjr , i've the same result with google

[theirman@sicpa-interop-recette ~]$ curl -v -m10 https://google.com
* About to connect() to google.com port 443 (#0)
*   Trying 142.250.179.78...
* Connected to google.com (142.250.179.78) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer

@_az , after changing mtu, nothing change :

[theirman@sicpa-interop-recette ~]$ sudo ifconfig ens192 mtu 1360
[theirman@sicpa-interop-recette ~]$ curl -v -m10 https://acme-v02.api.letsencrypt.org/directory
* About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
*   Trying 172.65.32.248...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer

Additionnaly, i can connect acme-v02.api.letsencrypt.org on port 80 et 443 from sicpa-interop-recette

[theirman@sicpa-interop-recette ~]$ telnet acme-v02.api.letsencrypt.org 80
Trying 172.65.32.248...
Connected to acme-v02.api.letsencrypt.org.
Escape character is '^]'.
Connection closed by foreign host.

[theirman@sicpa-interop-recette ~]$ telnet acme-v02.api.letsencrypt.org 443
Trying 172.65.32.248...
Connected to acme-v02.api.letsencrypt.org.
Escape character is '^]'.
^]
telnet> quit
Connection closed.

I can also connect to sicpa-interop-recette from internet on port 80/443

C:\Users\theirman
λ telnet sicpa-interop-recette.cati.inrae.fr 80
 HTTP/1.1 400 Bad Request
Server: nginx/1.20.1
Date: Wed, 08 Sep 2021 06:32:14 GMT
Content-Type: text/html
Content-Length: 157
Connection: close

<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>

Perte de la connexion à l’hôte.

C:\Users\theirman
λ telnet sicpa-interop-recette.cati.inrae.fr 443
 HTTP/1.1 400 Bad Request
Server: nginx/1.20.1
Date: Wed, 08 Sep 2021 06:34:37 GMT
Content-Type: text/html
Content-Length: 157
Connection: close
Strict-Transport-Security: max-age=31536000

<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.20.1</center>
</body>
</html>

Perte de la connexion à l’hôte.

Well, if you can't connect to servers on the Internet then that's your problem. I'm guessing you have some overly-aggressive firewall somewhere that thinks servers shouldn't be making web requests.

But that's your own domain name, right? The results of that test might be clouded by the fact your server just connects to "localhost" internally.

So please also try sites like google.com as suggested earlier.

as i said earlier @Osiris :

[theirman@sicpa-interop-recette ~]$ curl -v -m10 https://google.com
* About to connect() to google.com port 443 (#0)
*   Trying 142.250.179.78...
* Connected to google.com (142.250.179.78) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5961 (PR_CONNECT_RESET_ERROR)
* TCP connection reset by peer
* Closing connection 0
curl: (35) TCP connection reset by peer

Ah, sorry, completely missed that one. Apologies.

Maybe it's a cURL or NSS issue. Maybe try a different package such as wget and see what happens?

Hello
Thank you all for your help, I managed to run certbot to generate my first certificate.

As @petercooperjr said, the problem was indeed a firewall problem: more precisely, my VM was placed by the IT department in a firewall zone that did not have the permissions to access the http and https protocols

Once again, thanks to all of you for your time and help
Thierry

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.