Certificate renew is failing “bad handshake..”

On our server the Letsencrypt certificate is updated automatically. This has always worked until two days ago.

If you look into the log file, you will see the following error message:

######################

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/unser-server.de.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Failed to renew certificate unser-server.de with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')")))

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/unser-server.de/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

########################
My domain is: uka-gruppe.de

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, only cli

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.12.0

########################

Command:

openssl s_client -connect acme-v02.api.letsencrypt.org:443

Output:

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1

Certificate chain
0 s:CN = acme-v02.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

Server certificate
-----BEGIN CERTIFICATE-----
MIIF4TCCBMmgAwIBAgISA1fNM5fZ3bn83Tn7Lqqu27MvMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTExMjkwOTU2MDZaFw0yMjAyMjcwOTU2MDVaMCcxJTAjBgNVBAMT
HGFjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDqewWoTT63i+oFs4Z2uENad2uvcGuKr4aLA1VxuZboKrNg
Pl3iQqtMKN04Fc8KlR3KEBsGKXSyKszEGVYaDMdZCXSXxjullbnAbaYlkMkokyK6
2pLuKFlWbuA9ZTPqgF7UXn90TjkJFWnSn0kPcGE90YnaZPAr5KsnzNP66okSpZnf
H7BPpqg9LILXIWeTdpSVwMUxZyoOyUFWMLuouwYgGr6HXDMmfiRQ2Bv6M8DHVmmZ
dtcHiaQZgC1c+ExgLMa1Eq5JngzFCqOxQSt3PD3KE8qud/1xgdzEvbnnL/FHYzYG
DoRVdq7MAYRTYMtxmjYpUw/d5g2C029FtUjQGmKBAgMBAAGjggL6MIIC9jAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFFpSfxiSQ+Pw+yixD3ZFzJ03H4uwMB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMIHJBgNVHREEgcEwgb6CHmFjbWUtdjAyLTEuYXBpLmxl
dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItMi5hcGkubGV0c2VuY3J5cHQub3Jngh5h
Y21lLXYwMi0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTQuYXBpLmxl
dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItNS5hcGkubGV0c2VuY3J5cHQub3Jnghxh
Y21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnMEwGA1UdIARFMEMwCAYGZ4EMAQIB
MDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu
Y3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAQcjKsd8iRkoQxqE6
CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF9a1ZvUQAABAMARzBFAiAg763YORqR922O
18mYhDRq+HaJIDIZfFwYn13UtAmz6gIhAOWUAIip0Zq5G7QbpWxFXwYmYWYJn5Tb
0lQ+Z/8isw7PAHYARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+bUcAAAF9
a1ZvcAAABAMARzBFAiEAnjWYBpxoFIiFO15LWTTKG2VGej+3DtS/4YGiRp7w8ywC
IGx8TqPil7BYMP5FKjJDI2DGcnBaW9tW6tljNG1raXa8MA0GCSqGSIb3DQEBCwUA
A4IBAQAJZO4jhoWEiDskQ/NzhHdLZEDQtce/zbQR7JXOcK0sBh8V8ZYIxKprWvbN
XqU+aQoDmAGB141k9xA6p4JWyc+ss15QxxqKLR/5IlyIUPiOwwD6sh/QOChw3paj
O3wEQmKBKYhcbPNMIy5lK8yDvKAp+JGb6oyuDYQ6LCi3Gr21p+p5x2n+SVaNWMmy
choTt/cbQQxBVPqRQTAxiUka5nm68OU6fCU3/45T9R1ORTQfnkc3lg/ZZ/kitolZ
Uu/34/hzlR0SBIjOhzDFmKJxi0OZlznIiX1P1oQUn6vYOd3N41iwxsMR6qXXOI6s
CmBZ3onl1v7RGP7eSGpmaYCj0bmG
-----END CERTIFICATE-----
subject=CN = acme-v02.api.letsencrypt.org

issuer=C = US, O = Let's Encrypt, CN = R3

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 3380 bytes and written 400 bytes
Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 8089CFF84E67BA38ACA2C640A2A3BD1F8CF4035D64B8AA4C5DECFCF2CF65515B
Session-ID-ctx:
Resumption PSK: 8FC6D46232F6FB17217A7D20F7DBCC2C5B2E83601269AC2FC442E6DF17720E51ABA5B7A4DF80FB6D7F4D0F25E7670D72
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - c0 c3 11 fd b9 fa ce f5-b3 2a 92 34 f5 95 a3 ad .........*.4....
0010 - a3 be 83 16 b5 e9 9d be-55 33 6d ad f6 6b 7b d3 ........U3m..k{.

Start Time: 1638885057
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

--
read R BLOCK

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: DD7B7C8F4384E609867DE96BFAE8890576941302E227B0ADC1AA785A7249E426
Session-ID-ctx:
Resumption PSK: C4028362DFD62B8CA5E1A0EE6AC0AC4361E61C34391DACB8C8BC18C2F435D7DFB45AD474DEE0074A7745F90975DA158C
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - f6 25 1e 70 3f 62 31 f6-8c f4 b8 bd ab 63 55 74 .%.p?b1......cUt
0010 - 6b 7f 1b ea 42 37 95 35-eb b6 ba be c0 c8 03 81 k...B7.5........

Start Time: 1638885057
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

--
read R BLOCK
closed

##########################################

Command:
curl -I4 https://acme-v02.api.letsencrypt.org/directory

Output:
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

#########################################

Command:
curl -I6 https://acme-v02.api.letsencrypt.org/directory

Output:

HTTP/2 200
server: nginx
date: Tue, 07 Dec 2021 13:54:30 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
replay-nonce: 0001-TQUFI1eteiuCQFNXmJI_OljdLyLHcwQ-PE8CuJCkIA
x-frame-options: DENY
strict-transport-security: max-age=604800

###########################

Command:
host acme-v02.api.letsencrypt.org

Output:

acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2c

Nothing has been changed or updated on the system. The error occurred suddenly and not comprehensibly.

Manually renewing the certificate throws the first error message again.

We are grateful for any hint or tip.

Best regards
gpl

Please provide your IPv4 address so that it can be checked.
curl -4 ifconfig.co

Good morning,

the IPv4 address is called: 54.36.114.230

Best regards
gpl

@lestaff
Please check if this IPv4 address ("54.36.114.230") has been blocked.

Yes, this IP had been blocked because of many, repeated requests that were always failing validation. I've now unblocked it.

Thanks for the quick help.
How many times can icih try to renew the certificate before the IP is blocked?

Glad to help! Our normal rate limits are documented here: Rate Limits - Let's Encrypt

Manual blocking is unusual; we only do it for patterns of traffic that are abusive (DDoS) or affect our service in unexpected ways (this case). I think we're almost done fixing the cause.

2 posts were split to a new topic: Renewal failing due to certificate verify failed error

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.