Certbot - HTTPSConnectionPool Client Timing Out when Trying to Reach Let's Encrypt

I guess your host is not responding on time?

certbot certonly --webroot -w /var/www/html/ --preferred-challenges http -d www.xxxx.xx

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.xxxx.xx
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
ReadTimeout: HTTPSConnectionPool(host=‘acme-v01.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.

{
“resource”: “new-cert”,
“csr”: “MIICejCCAWICAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3So4YCNxeNrGAAOdyVPjTffhauq473Rhbzu1S8O1d4LXI6jUp1lczsMgrdFAlIFWrgsYM6Q6JzFYpM0BFZTc4gg1UlOIiNs_e6ksXKeQQTxCbruarpn2UWECFp6PCpmX50–DloSjJm_-KPXTyg-3zITpFMv2JNsCIdvwrf4tWLl9bYaa1DzZvJB2l6PDojVgIy_J8Nkt0-tE8EHtDskSoIZ-8WeMCkekEB_sI5-vDWl8eHAaV3ule6_lBaWphxfeX1kwtWv7szmeQfrybRZ46DmrN_qpdoC8qqCJleJ_TyohAIlWCR2UN9eNI1WpgIsImin7isoVRhMYmVrb1A0CAwEAAaA1MDMGCSqGSIb3DQEJDjEmMCQwIgYDVR0RBBswGYIXd3d3LjAwMDAwMTAxMDAxMTEwMDEubmwwDQYJKoZIhvcNAQELBQADggEBAH8e8fplfabQ6KeydP5YRpMsqsMaDpZT5pgy9bbdlnXW_Ew3MuzwR8vHHfrSgDBVObGMXhTaCUXt_Mx-6FGp5lY0vPPBZ8-Cms_nIJaK403ltf9qH0RbYl_zSP2QPs7eijv6nRa6OfxYshouRyktaVKYjuB9a5jBqIAGVKNNJLs5UvmioS_-0bB-_ubRQgxFUgJshhE-xlvXJ99m8fLMMSSHSRSfDAfVJOegljPWgf3CrwV2lWROs78cHZifFq_YldhoHz16fo5zzqljnwFxrniaMSckKdx4MOG3kfAHMbyGW1Qo3Vx3V4OgoNTpd2NINkaIGAh3BU0VOjKa7vBU”
}
2017-09-11 14:45:28,844:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-cert:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: “slAVCKfOMXd_WOufgWz5J7qZ03vbTH9Zb_jXsiiSR7U_yzwv91AzH7PFu9W3rAxPZNUX8DUaPVbdVtK-BVoqdQMjYCJLJgazi5wLWwf7rLIYPPHakoEJwp9Kn0B_N2XqIx9EhR3IwKCvxuun8JCQmuZ8i4njN5f64zEsvLfOc4KQVzt5xo2I5udZMFgXl3UcI2k4Jw9EpBzn9YgWc6AQjRzwD-HE80l-Xc7n4Ptpnippq991Qvd9NtiGF0zKUJFlHo_m_Fdjy95-Os0EgwrIi-bCJmSaXFtR1_znMvfiWculq_7Lfd2xzZQAwIemAklkdtgmVnAsqc8pyl_OmQ”
}
},
“protected”: “eyJub25jZSI6ICI0bDMzc085VkQtSWRFdW4xR0t4Zk1aY1lLc9nWjJBaFdpOEdzX1R1SmtNIn0”,
“payload”: “ewogICJyZXNvdXJjZSI6ICJuZXctY2VydCIsIAogICJjc3IiOiAiTUlJQ2VqQ0NBV0lDQVFJd0FEQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU4zU280WUNOeGVOckdBQU9keVZQalRmZmhhdXE0NzNSaGJ6dTFTE8xZDRMWEk2alVwMWxjenNNZ3JkRkFsSUZXcmdzWU02UTZKekZZcE0wQkZaVGM0Z2cxVWxPSWlOc19lNmtzWEtlUVFUeENWYnJ1YXJwbjJVV0VDRnA2UENwbVg1MC0tRGxvU2pKbV8tS1BYVHlnLTN6SVRwRk12MkpOc0NJZHZ3cmY0dFdMbDliWWFhMUR6WnZKQjJsNlBEb2pWZ0l5X0o4Tmt0MC10RThFSHREc2tTb0laLThXZU1Da2VrRUJfc0k1LXZEV2w4ZUhBYVYzdWxlNl9sQmFXcGh4ZmVYMWt3dFd2N3N6bWVRZnJ5YlJaNDZEbXJOX3FwZG9DOHFxQ0psZUpfVHlvaEFJbFdDUjJVTjllTkkxV3BnSXNJbWluN2lzb1ZSaE1ZbVZyYjFBMENBd0VBQWFBMU1ETUdDU3FHU0liM0RRRUpEakVtTUNRd0lnWURWUjBSQkJzd0dZSVhkM2QzTGpBd01EQXdNVEF4TURBeE1URXdNREV1Ym13d0RRWULb1pJaHZjTkFRRUxCUUFEZ2dFQkFIOGU4ZnBsZmFiUTZLZXlkUDVZUnBzTXNxc01hRHBaVDVwZ3k5YmJkbG5YV19FdzNNdXp3Ujh2SEhmclNnREJWT2JHTVhoVGFDVVh0X014LTZGR3A1bFkwdlBQQlo4LUNtc19uSUphSzQwM2x0ZjlxSDBSYllsX3pTUDJRUHM3ZWlqdjuUmE2T2Z4WXNob3VSeWt0YVZLWWp1QjlhNWpCcUlBR1ZLTk5KTHM1VXZtaW9TXy0wYkItX3ViUlFneEZVZ0pzaGhFLXhsdlhKOTltOGZMTU11RlNTSFNSU2ZEQWZWSk9lZ2xqUFdnZjNDcndWMmxXUk9zNzhjSFppZkZxX1lsZGhvSHoxNmZvNXp6cWxqbndGeHJuaWFNU2NrS2R4NE1PRzNrZkFITWJ5R1cxUW8zVngzVjRPZ29OVHBkMk5JTmthSUdBaDNCVTBWT2pLYTd2QlUiCn0”,
“signature”: “fapOSZmTh-GcMCb5K9tFH_e7wle8NWF92WtuQTFuHKgUx4vTk6R1hUwyuQsUcDqqYnP-Zefz2a2BPfZ95Ci1aSVwAfke-IEvuXN7kyqOBqNUwxw608T0mwAeT9t_Yw0kFQI8XhTxcEfeXSyf6iz4MHjuDDlOl2OxOqCIzZX_358mq0_OlUdm6ZJJfj6aeItzoa7RgZci90cW3yXpljAWtxFfH6XyzTMxND5QKTe_1wJF56KQrf4nGvt1REKB6xU45gVKvILzWRc2h3uBTd7JSn1F4_WKFmiSiNttJv4CN2GqN30wVvh8XO-1hM9V_3KsuWh7e3_O6jMIF8KEyDQ”
}
2017-09-11 14:46:13,892:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.14.1’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 742, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 682, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 82, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 344, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 323, in obtain_certificate
domains, csr, authzr=authzr)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 273, in obtain_certificate_from_csr
authzr)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 313, in request_issuance
headers={‘Accept’: content_type})
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 674, in post
return self._post_once(*args, **kwargs)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 685, in _post_once
response = self._send_request(‘POST’, url, data=data, **kwargs)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 619, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 464, in request
resp = self.send(prep, **send_kwargs)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 576, in send
r = adapter.send(request, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/adapters.py”, line 433, in send
raise ReadTimeout(e, request=request)
ReadTimeout: HTTPSConnectionPool(host=‘acme-v01.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)

Does your server have internet access? Looks like it’s not able to send a request to Let’s Encrypt.

Yes it has.

(and this is for the 20 character limit??)

Good start, then are you able to ping/telnet/curl/s_client connect to acme-v01.api.letsencrypt.org on port 443?

further to this

start a web browser if you have a gui and browse to https://acme-v01.api.letsencrypt.org/directory if your connectivity is ok you should get something like below

then try wget https://acme-v01.api.letsencrypt.org/directory

Andrei

Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
ReadTimeout: HTTPSConnectionPool(host=‘acme-v01.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.

Tue Sep 12 11:00:05 CEST 2017

Maybe check on your side what is going on? A few request before this one, I had a time out only on my side (I have to do a few because, I need to wait for your request to use one of the whitelisted ip addresses here)

neither i or @jared.m work for Let’s Encrypt

If you can confirm connectivity to let’s encrypt using the suggested tests then we can ask one of the let’s encrypt ops guys to have a look to see if anything else is going on

As it’s a small team it’s a bit rude not to do basic troubleshooting before asking people to investigate server side.

Andrei

Some helpful forum members have provided debugging steps for you to try. Please try those and report back. Also, please post your full domain name. Without that, we can't reasonably help you.

That's odd; right now our remote VAs are always coming from the same set of IP addresses, so this shouldn't be necessary. Also, as we've told you in another thread, whitelisting validation IPs is an explicitly unsupported configuration and is guaranteed to break.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.