Certificate Request with Certbot timing out

Help
1

Hello,

Basic Info

My domain is: gamecp.x2c0.net

I ran this command: certbot certonly --webroot -d gamecp.x2c0.net --email my@email.com -w /var/www/_letsencrypt --agree-tos

It produced this output: https://hastebin.com/qapipiharo.log

My web server is (include version): Nginx 1.15.5

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I am trying to obtain a LetsEncrypt certificate for my domain. However, I keep running into the error requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45). This happens despite the fact that I can ping, traceroute, telnet, and curl https://acme-v02.api.letsencrypt.org without a problem. In addition, I have tried four validation methods, webroot, standalone, nginx, and dns - none work and all result in the same error. I have checked my firewall (both at OVH and iptables on the machine) and LE is not blocked.

2

Hi @unixfy,

Did you check whether you can connect to this site using IPv6?

curl -IL6v https://acme-v02.api.letsencrypt.org

If you can connect using IPv4:

curl -IL4v https://acme-v02.api.letsencrypt.org

Then maybe there is a IPv6 routing problem, or your firewall (ip6tables) is not allowing packets for IPv6. If that is the case, if you want a quick workaround you could get the IPv4 that is resolving for you and add it to your /etc/hosts to force certbot to use the IPv4 instead of IPv6.

1.- Get the ipv4 for acme-v02.api.letsencrypt.org:

dig acme-v02.api.letsencrypt.org +short

2.- Add it to your /etc/hosts

echo "heretheipv4address acme-v02.api.letsencrypt.org" >> /etc/hosts

This is just a temporal workaround in case the problem is related to an IPv6 issue.

Cheers,
sahsanu

1 Like
3

IPv6 is disabled on the machine and thus doesn’t work:

* Rebuilt URL to: https://acme-v02.api.letsencrypt.org/
* Could not resolve host: acme-v02.api.letsencrypt.org
* Closing connection 0
curl: (6) Could not resolve host: acme-v02.api.letsencrypt.org

IPv4 does work correctly. The timeout still occurs when I add the IPv4 address to my hosts file.

4

Just a test, could you please try this ip in your /etc/hosts file?

104.123.22.170 acme-v02.api.letsencrypt.org

And try again?

5

If you run curl -v https://acme-v02.api.letsencrypt.org/directory, what IPs does it try to connect to? What happens?

6

Before adding the entry to /etc/hosts, it outputs this:

*   Trying 184.30.223.223...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.30.223.223) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Oct 12 01:36:41 2018 GMT
*  expire date: Jan 10 01:36:41 2019 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET /directory HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/json
< Content-Length: 658
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Sun, 21 Oct 2018 22:40:05 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Sun, 21 Oct 2018 22:40:05 GMT
< Connection: keep-alive
< 
{
  "1yCj8KCLlFY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

After adding the entry in my hostsfile everything stays the same except for the IP. Certbot continues to time out.

7

Hi @unixfy

your log is incomplete. There are more log entries. It's important to see the context of the error.

8

@JuergenAuer I only truncated it because I wasn’t sure if any of the stuff in the log is private. Here’s a complete log: https://hastebin.com/rujeqoqoqo.log

9

The order is ready:

https://acme-v02.api.letsencrypt.org/acme/order/44256591/129845298

So the order and challenge validation works. So your ip-configuration isn't the problem.

The finalization step produces the timeout.

Your Certificate request:

Summary

-----BEGIN CERTIFICATE REQUEST-----
MIICcjCCAVoCAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOMA
ASZsVuGJQTADA8/2fKy1cnL8m7dog1z57RSmmLdG0dbcsH0ziitFKHwIUWQctBta
UGNzG8V1bkCBFoRGhtq6N6MrZ1bT5l1AaI+PbDt1dAMcNOXaG658FtVwmcfNAm6s
5sTflb51fiMqZ/CcTShXT6Kh1qbMibhn+68faxUq7xkmLYCa8axYdC15bgwtMo+q
4ZunR2fTgSLKdniY6hrhz2yB9INPJkRq8h597W8YIvKhlQzCSkxWwzdJoGrnoQrs
wKHUIFhbJRmpl9AbQ7ylbVDMQOyZg9Y9roD8cdycn/xs7nWvFdIsiTDLoXykEUmu
jBgvfd5jaxwNytMOcrkCAwEAAaAtMCsGCSqGSIb3DQEJDjEeMBwwGgYDVR0RBBMw
EYIPZ2FtZWNwLngyYzAubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQC90Ql8+1UzqQGC
9QLPgcDAlZLS3ebomWbVq5vUYj7aF1J3S647g7CdkNOnuSnN600Juz89gL5h7tgc
xT347jf32T0ihvDMSv/Rz/GwNtRjgKuFZhbSfeu+Icthv+BhTf7s4gxerGi9TisB
5lzU1pJSrKdZWWbUlS29lHVZwmXTXhjae0jQyFxkR1TrVzNPf6Zzlwc0Tky+ucKr
lDLftXDdTRf9HnJguZ2iwzh3417Nw1NNP1j18Nz3cc+BjEEQu3WAhHJYDZfL9ahH
zyYUoTCf+rG2wfQhZwr/Rnmv7dm03OhX9yaLclkLk8QHgQqm++MYhh8zwhrJGiH2
/FZAZnmD
-----END CERTIFICATE REQUEST-----

looks good, CSR Decoder - Check CSR to verify its contents accepts it.

So it looks like Letsencrypt (1) has a general timeout or (2) doesn't understand your specific Certificate request. But you don't have a blocking or corrupt CAA-entry.

One thing I don't understand:

D:\temp>nslookup gamecp.x2c0.net.
Name: gamecp.x2c0.net
Address: 54.39.202.103

There is a specific A-record, this is ok. But:

D:\temp>nslookup -type=CNAME gamecp.x2c0.net.
x2c0.net
primary name server = chan.ns.cloudflare.com
responsible mail addr = dns.cloudflare.com
serial = 2029182250
refresh = 10000 (2 hours 46 mins 40 secs)
retry = 2400 (40 mins)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)

Looks like you have an A-record and a CNAME-record. Perhaps Letsencrypt want't to check something -> timeout.

Can you remove this CNAME?

1 Like
10

I just looked in my Cloudflare DNS configuration and there is no CNAME for gamecp.x2c0.net. https://i.imgur.com/XpOtJRd.jpg

Edit: Regardless, I don't think the CNAME should matter - issuance of certificates for the same domain works on another VPS I tested @ DigitalOcean.

11

The second log you posted shows the timeout occurring during the “finalize” request. Can you check if the same is true of all your attempts?

12

Yes, it is the same.

13

Thanks for this screenshot.

But there is a CNAME x2c0.net.

If Letsencrypt checks the CAA entry and doesn't find one of gamecp.x2c0.net, then the next check is the CAA entry of x2c0.net. Perhaps there is a loop or something else.

Is it possible that you create a CAA entry for your subdomain? Then a CAA entry of x2c0.net would be ignored.

14

Did you mean CNAME? If you did mean CAA how can I create one on Cloudflare? I keep getting an error about the flags field being required even though there is none.

15

I don't know if Letsencrypt follows CNAME entries when checking the CAA of the main domain. But I would try it to create a CAA-entry with your subdomain.

I don't use Cloudflare. But share a screenshot.

https://sslmate.com/caa/

is a generator. The "Load Current Policy" is a good check. Some dns server are broken. Letsencrypt fails checking the CAA, sslmate reports an error.

16

Seems CF’s mobile site is just bugged. It works perfect on my desktop. CAA record has been added https://i.imgur.com/3l1z2DI.jpg

Edit: Timeout continues to occur.

17

@JuergenAuer Any update on this?

18

I don't know why you have a timeout.

If your log has the same informations (order and validation works, after uploading a Certificate signing request there is a timeout), it's a problem that Letsencrypt doesn't understand your Certificate signing request.

19

So the problem would be on Letsencrypt’s side and not mine?

20

Do you think this might be related to the fact that my internet-facing IP is tunneled (via wireguard + 1:1 nat with iptables)?