Certbot says SSLError ? unsure why this error

When attempting to renew certs I am getting this error:

2019-03-18 07:54:15,848:WARNING:certbot.renewal:Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, ‘[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:841)’),)). Skipping.

Any comments to what the cause may be? I have only tried once today, so unsure what the Max retries would be about.

A second domain also failed at the same time:

2019-03-18 07:54:16,162:WARNING:certbot.renewal:Attempting to renew cert (host.domain2.com) from /etc/letsencrypt/renewal/host.domain2.com.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, ‘[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:841)’),)). Skipping.

What happens if you try to run “curl -v https://acme-v02.api.letsencrypt.org/directory” in a terminal?

Hmm, curl not installed …

Let me install it and see.

Ugh … resolver isn’t working properly so cannot install curl.

Time to call the paid sysadmin.

Any different check ??? I have acme-v02.api.letsencrypt.org in /etc/hosts which has always allowed me to renew in the past with a resolver issue.

It sounds like you have a different networking issue, or Akamai changed the IPs and the old ones in /etc/hosts no longer work.

Try getting new IP(s) with fresh DNS queries – using a different resolver or whatever – and updating /etc/hosts.

(Why is the resolver unreliable!?)

Yep doing that now …

Not sure why the resolver is unreliable - thought it was fixed once already.

Hmm Ubuntu’s repositories are giving me a not found error on the files … sigh. This is odd.

Ok makes sense now why I cannot install curl … how inconvenient.

E: Release file for http://security.ubuntu.com/ubuntu/dists/bionic-security/InRelease is not valid yet (invalid for another 2h 39min 27s). Updates for this repository will not be applied.
E: Release file for http://archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease is not valid yet (invalid for another 6h 24min 53s). Updates for this repository will not be applied.
E: Release file for http://archive.ubuntu.com/ubuntu/dists/bionic-backports/InRelease is not valid yet (invalid for another 2h 40min 27s). Updates for this repository will not be applied.

@mnordhoff I also noticed in the letsencrypt log that the version of LE is 0.26.1

2019-03-18 07:54:15,498:DEBUG:certbot.main:certbot version: 0.26.1

Is that version current or should I force an update somehow? and how would I force the update?

Is the clock slow? Do date and date -u show the correct time?

It's not current, but it's not ancient.

If you're using the Certbot PPA, newer versions have been available for the last couple months. You should apt update and apt upgrade.

root@dick:/var/log/letsencrypt# curl -v https://acme-v02.api.letsencrypt.org/directory

• Trying 2.21.55.155…
• TCP_NODELAY set
• Connected to acme-v02.api.letsencrypt.org (2.21.55.155) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
• TLSv1.2 (IN), TLS alert, Server hello (2):
• error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
• stopped the pause stream!
• Closing connection 0
  curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

I also updated certbot … still same error though.

Is that a current IP?

(Or, better, fixing the DNS resolution issue.)

Yep … it was the IP … sheeshz.

Thank you SO VERY MUCH @mnordhoff
You and your colleagues absolutely rock!!!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.