无法和certbot交互，有没有大神帮帮我！！！

Xiaokai · March 16, 2023, 8:53am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot._internal.log:ValueError: check_hostname requires server_hostname

rg305 · March 16, 2023, 9:18am

What command did you run?

Xiaokai · March 16, 2023, 9:29am

certbot certonly --manual --preferred-challenges http -d cbi.dev-rs.cicc.com

rg305 · March 16, 2023, 9:31am

What shows?:
certbot --version

rg305 · March 16, 2023, 9:34am

You may need to uninstall and then reinstall certbot.
See:
Certbot (eff.org)

Xiaokai · March 16, 2023, 9:46am

certbot 1.21.0
显示的是上面的那个版本，那个可以嘛

Xiaokai · March 16, 2023, 11:08am

想问一下是否不可以用代理去访问

Osiris · March 16, 2023, 11:20am

Could you please show the entire log file?

rg305 · March 16, 2023, 4:21pm

Yes, version 1.21.0 should work.

I agree with @Osiris, you have not shown enough of the log file for us to understand what is happening and why.

schoen · March 16, 2023, 4:52pm

This error message comes from the requests library which Certbot is using to make its outbound connection to the Let's Encrypt API.

It apparently relates to the case where an HTTP proxy is being used for outgoing connections, and urllib (the underlying HTTP implementation library that requests uses) is confused about the format or content of an environment variable that specifies which proxy to use, or else is confused about whether the proxy itself speaks HTTP or HTTPS.

I haven't ever encountered this before so I'm not sure of the exact solution, but I would say (1) check that the OS and all libraries are the most recent version, (2) check whether you need to use an outbound proxy at all, (3) check whether your proxy settings are correct (including whether they specify a proxy for both HTTP and HTTPS connections).

Sorry that I don't know a more specific solution, but this is at least the area that the error is coming from.

Xiaokai · March 17, 2023, 12:48am

2023-03-16 17:34:34,249:DEBUG:certbot._internal.main:certbot version: 1.21.0
2023-03-16 17:34:34,249:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-03-16 17:34:34,249:DEBUG:certbot._internal.main:Arguments: ['--manual', '--preferred-challenges', 'http', '-d', 'cbi.dev-rs.cicc.com']
2023-03-16 17:34:34,249:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-03-16 17:34:34,258:DEBUG:certbot._internal.log:Root logging level set at 30
2023-03-16 17:34:34,259:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2023-03-16 17:34:34,259:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: Authenticator, Plugin
Entry point: manual = certbot._internal.plugins.manual:Authenticator
Initialized: <certbot._internal.plugins.manual.Authenticator object at 0x7f180015f850>
Prep: True
2023-03-16 17:34:34,259:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.manual.Authenticator object at 0x7f180015f850> and installer None
2023-03-16 17:34:34,259:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator manual, Installer None
2023-03-16 17:34:37,853:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-03-16 17:34:37,871:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-03-16 17:34:37,928:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1416, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 763, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 680, in _determine_account
    acc, acme = client.register(
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 184, in register
    acme = acme_from_config_key(config, key)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 48, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 875, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1236, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1174, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 696, in urlopen
    self._prepare_proxy(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 966, in _prepare_proxy
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 359, in connect
    conn = self._connect_tls_proxy(hostname, conn)
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 500, in _connect_tls_proxy
    return ssl_wrap_socket(
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 453, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 495, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1028, in _create
    raise ValueError("check_hostname requires server_hostname")
ValueError: check_hostname requires server_hostname
2023-03-16 17:34:37,930:ERROR:certbot._internal.log:An unexpected error occurred:
2023-03-16 17:34:37,930:ERROR:certbot._internal.log:ValueError: check_hostname requires server_hostname
2023-03-16 18:37:09,920:DEBUG:certbot._internal.main:certbot version: 1.21.0
2023-03-16 18:37:09,920:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-03-16 18:37:09,920:DEBUG:certbot._internal.main:Arguments: ['--manual', '--preferred-challenges', 'http', '-d', 'cbi.dev-rs.cicc.com']
2023-03-16 18:37:09,920:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-03-16 18:37:09,927:DEBUG:certbot._internal.log:Root logging level set at 30
2023-03-16 18:37:09,928:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2023-03-16 18:37:09,928:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: Authenticator, Plugin
Entry point: manual = certbot._internal.plugins.manual:Authenticator
Initialized: <certbot._internal.plugins.manual.Authenticator object at 0x7f95734db850>
Prep: True
2023-03-16 18:37:09,928:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.manual.Authenticator object at 0x7f95734db850> and installer None
2023-03-16 18:37:09,928:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator manual, Installer None
2023-03-16 18:37:14,985:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-03-16 18:37:15,006:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-03-16 18:37:15,062:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1416, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 763, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 680, in _determine_account
    acc, acme = client.register(
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 184, in register
    acme = acme_from_config_key(config, key)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 48, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 875, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1236, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1174, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 696, in urlopen
    self._prepare_proxy(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 966, in _prepare_proxy
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 359, in connect
    conn = self._connect_tls_proxy(hostname, conn)
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 500, in _connect_tls_proxy
    return ssl_wrap_socket(
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 453, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 495, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1028, in _create
    raise ValueError("check_hostname requires server_hostname")
ValueError: check_hostname requires server_hostname
2023-03-16 18:37:15,064:ERROR:certbot._internal.log:An unexpected error occurred:
2023-03-16 18:37:15,064:ERROR:certbot._internal.log:ValueError: check_hostname requires server_hostname
2023-03-16 18:39:07,643:DEBUG:certbot._internal.main:certbot version: 1.21.0
2023-03-16 18:39:07,643:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-03-16 18:39:07,643:DEBUG:certbot._internal.main:Arguments: ['--manual', '--preferred-challenges', 'http', '-d', 'cbi.dev-rs.cicc.com']
2023-03-16 18:39:07,643:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-03-16 18:39:07,651:DEBUG:certbot._internal.log:Root logging level set at 30
2023-03-16 18:39:07,651:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2023-03-16 18:39:07,651:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: Authenticator, Plugin
Entry point: manual = certbot._internal.plugins.manual:Authenticator
Initialized: <certbot._internal.plugins.manual.Authenticator object at 0x7fc22f8ff850>
Prep: True
2023-03-16 18:39:07,652:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.manual.Authenticator object at 0x7fc22f8ff850> and installer None
2023-03-16 18:39:07,652:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator manual, Installer None
2023-03-16 18:39:14,821:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-03-16 18:39:14,840:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-03-16 18:39:14,895:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.21.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1574, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1416, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 763, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 680, in _determine_account
    acc, acme = client.register(
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 184, in register
    acme = acme_from_config_key(config, key)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 48, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 875, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1236, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1174, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 696, in urlopen
    self._prepare_proxy(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 966, in _prepare_proxy
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 359, in connect
    conn = self._connect_tls_proxy(hostname, conn)
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 500, in _connect_tls_proxy
    return ssl_wrap_socket(
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 453, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 495, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1028, in _create
    raise ValueError("check_hostname requires server_hostname")
ValueError: check_hostname requires server_hostname
2023-03-16 18:39:14,897:ERROR:certbot._internal.log:An unexpected error occurred:
2023-03-16 18:39:14,898:ERROR:certbot._internal.log:ValueError: check_hostname requires server_hostname

Xiaokai · March 17, 2023, 12:48am

上面我提供的就是完整的日志

Xiaokai · March 17, 2023, 12:49am

想问的一个问题是，我是否可以通过一个代理去访问certbot，从而和他进行交互
还是certbot会拒绝一切通过代理来访问的连接呢？

rg305 · March 17, 2023, 12:57am

What shows?:
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head

schoen · March 17, 2023, 1:45am

Yes, you can use a proxy to connect to the Let's Encrypt API. I think your proxy configuration (with an environment variable?) might not be detected properly by Certbot currently.

This is not a very well-tested or well-documented situation because not very many people use HTTP proxies to connect to the API. I have personally never tried it, so I don't even remember what the syntax should be (!). Sorry about that!

The Let's Encrypt servers will need to be able to connect directly to your web server in order to verify the challenges.

The certificate request process includes both outbound connections (to the API to request the certificate) and inbound connections (from Let's Encrypt servers to verify the challenge files). (These connections do not use the same IP addresses, as they are using totally different parts of the Let's Encrypt infrastructure.)

One thing that some related forum posts (not on this forum but on forums about the Python libraries that Certbot is using) mention is that there could be an error in the proxy configuration related to the protocol that is used between your server and the proxy (HTTP vs. HTTPS). Apparently that protocol needs to be specified, and needs to be specified correctly, in the proxy configuration environment variable or proxy configuration file.

Sorry that I don't remember more suggestions. If you can't figure it out but you agree that this could be the problem, we can also get a current Certbot developer to give some advice about the proxy configuration.

Xiaokai · March 17, 2023, 6:24am

403785E70B7F0000:error:10080002:BIO routines:BIO_lookup_ex:system lib:../crypto/bio/bio_addr.c:738:Temporary failure in name resolution
connect:errno=11

Xiaokai · March 17, 2023, 6:27am

我已经开通代理ip到172.65.32.248这个ip的防火墙，没有理解您说的开通到他的api是什么意思

schoen · March 17, 2023, 6:56am

There are multiple connections that will happen:

(1) Your Let's Encrypt client software (like Certbot) makes an HTTPS connection on port 443 to https://acme-v02.api.letsencrypt.org/ in order to talk to the Let's Encrypt service's API and request a certificate. (I think this is the stage at which the process was originally failing for you. It appeared that Certbot could not correctly use your proxy in order to make this outgoing connection.)

That API is served by the Cloudflare CDN, so it might not have the same public API address as seen from everywhere in the world, or over time.

(2) After your client software requests a certificate, Let's Encrypt has to check that you really control the domain name for which you are requesting the certificate. There are three different ways that Let's Encrypt can do this (called "challenge methods"); most commonly, they involve a connection from multiple Let's Encrypt data centers back to your web site, where your client software will be told to prove your control over the site by posting a text file, with contents chosen by the certificate authority, at a location on your site also chosen by the certificate authority.

Normally, in the most common situations, Certbot can automatically complete the steps requested by the certificate authority (for example, when run as root on a server with Apache or nginx, it will automatically create the requested file at the requested location).

The details of that are described in the "challenge types" document that I posted a link to (in official Chinese translation).

There are many possible failures related to this step of the process, but I don't think your certificate request has gotten far enough to know whether or not there are any problems with this.

rg305 · March 17, 2023, 6:56am

What shows?:
nslookup acme-v02.api.letsencrypt.org

schoen · March 17, 2023, 6:59am

Yes, @rg305 has a good point—the most recent error looks like your server possibly also can't perform DNS lookups. It isn't enough to hard-code the ability to access a specific IP address for the Let's Encrypt API server, because the client software doesn't know that address, and will always try to access

https://acme-v02.api.letsencrypt.org/

by name. You can also simulate this access with a command like

curl -v https://acme-v02.api.letsencrypt.org/directory

to find out more about specific reasons that your server currently can't access this service. (If you have an outbound HTTP proxy, then curl also needs to be able to find and use that.)