Certificate Request with Certbot timing out


#1

Hello,

Basic Info

My domain is: gamecp.x2c0.net

I ran this command: certbot certonly --webroot -d gamecp.x2c0.net --email my@email.com -w /var/www/_letsencrypt --agree-tos

It produced this output: https://hastebin.com/qapipiharo.log

My web server is (include version): Nginx 1.15.5

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


I am trying to obtain a LetsEncrypt certificate for my domain. However, I keep running into the error requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45). This happens despite the fact that I can ping, traceroute, telnet, and curl https://acme-v02.api.letsencrypt.org without a problem. In addition, I have tried four validation methods, webroot, standalone, nginx, and dns - none work and all result in the same error. I have checked my firewall (both at OVH and iptables on the machine) and LE is not blocked.


#2

Hi @unixfy,

Did you check whether you can connect to this site using IPv6?

curl -IL6v https://acme-v02.api.letsencrypt.org

If you can connect using IPv4:

curl -IL4v https://acme-v02.api.letsencrypt.org

Then maybe there is a IPv6 routing problem, or your firewall (ip6tables) is not allowing packets for IPv6. If that is the case, if you want a quick workaround you could get the IPv4 that is resolving for you and add it to your /etc/hosts to force certbot to use the IPv4 instead of IPv6.

1.- Get the ipv4 for acme-v02.api.letsencrypt.org:

dig acme-v02.api.letsencrypt.org +short

2.- Add it to your /etc/hosts

echo "heretheipv4address acme-v02.api.letsencrypt.org" >> /etc/hosts

This is just a temporal workaround in case the problem is related to an IPv6 issue.

Cheers,
sahsanu


#3

IPv6 is disabled on the machine and thus doesn’t work:

* Rebuilt URL to: https://acme-v02.api.letsencrypt.org/
* Could not resolve host: acme-v02.api.letsencrypt.org
* Closing connection 0
curl: (6) Could not resolve host: acme-v02.api.letsencrypt.org

IPv4 does work correctly. The timeout still occurs when I add the IPv4 address to my hosts file.


#4

Just a test, could you please try this ip in your /etc/hosts file?

104.123.22.170 acme-v02.api.letsencrypt.org

And try again?


#5

If you run curl -v https://acme-v02.api.letsencrypt.org/directory, what IPs does it try to connect to? What happens?


#6

Before adding the entry to /etc/hosts, it outputs this:

*   Trying 184.30.223.223...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.30.223.223) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Oct 12 01:36:41 2018 GMT
*  expire date: Jan 10 01:36:41 2019 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET /directory HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/json
< Content-Length: 658
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Sun, 21 Oct 2018 22:40:05 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Sun, 21 Oct 2018 22:40:05 GMT
< Connection: keep-alive
< 
{
  "1yCj8KCLlFY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

After adding the entry in my hostsfile everything stays the same except for the IP. Certbot continues to time out.


#7

Hi @unixfy

your log is incomplete. There are more log entries. It’s important to see the context of the error.


#8

@JuergenAuer I only truncated it because I wasn’t sure if any of the stuff in the log is private. Here’s a complete log: https://hastebin.com/rujeqoqoqo.log


#9

The order is ready:

https://acme-v02.api.letsencrypt.org/acme/order/44256591/129845298

So the order and challenge validation works. So your ip-configuration isn’t the problem.

The finalization step produces the timeout.

Your Certificate request:

Summary

-----BEGIN CERTIFICATE REQUEST-----
MIICcjCCAVoCAQIwADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOMA
ASZsVuGJQTADA8/2fKy1cnL8m7dog1z57RSmmLdG0dbcsH0ziitFKHwIUWQctBta
UGNzG8V1bkCBFoRGhtq6N6MrZ1bT5l1AaI+PbDt1dAMcNOXaG658FtVwmcfNAm6s
5sTflb51fiMqZ/CcTShXT6Kh1qbMibhn+68faxUq7xkmLYCa8axYdC15bgwtMo+q
4ZunR2fTgSLKdniY6hrhz2yB9INPJkRq8h597W8YIvKhlQzCSkxWwzdJoGrnoQrs
wKHUIFhbJRmpl9AbQ7ylbVDMQOyZg9Y9roD8cdycn/xs7nWvFdIsiTDLoXykEUmu
jBgvfd5jaxwNytMOcrkCAwEAAaAtMCsGCSqGSIb3DQEJDjEeMBwwGgYDVR0RBBMw
EYIPZ2FtZWNwLngyYzAubmV0MA0GCSqGSIb3DQEBCwUAA4IBAQC90Ql8+1UzqQGC
9QLPgcDAlZLS3ebomWbVq5vUYj7aF1J3S647g7CdkNOnuSnN600Juz89gL5h7tgc
xT347jf32T0ihvDMSv/Rz/GwNtRjgKuFZhbSfeu+Icthv+BhTf7s4gxerGi9TisB
5lzU1pJSrKdZWWbUlS29lHVZwmXTXhjae0jQyFxkR1TrVzNPf6Zzlwc0Tky+ucKr
lDLftXDdTRf9HnJguZ2iwzh3417Nw1NNP1j18Nz3cc+BjEEQu3WAhHJYDZfL9ahH
zyYUoTCf+rG2wfQhZwr/Rnmv7dm03OhX9yaLclkLk8QHgQqm++MYhh8zwhrJGiH2
/FZAZnmD
-----END CERTIFICATE REQUEST-----

looks good, https://www.sslshopper.com/csr-decoder.html accepts it.

So it looks like Letsencrypt (1) has a general timeout or (2) doesn’t understand your specific Certificate request. But you don’t have a blocking or corrupt CAA-entry.

One thing I don’t understand:

D:\temp>nslookup gamecp.x2c0.net.
Name: gamecp.x2c0.net
Address: 54.39.202.103

There is a specific A-record, this is ok. But:

D:\temp>nslookup -type=CNAME gamecp.x2c0.net.
x2c0.net
primary name server = chan.ns.cloudflare.com
responsible mail addr = dns.cloudflare.com
serial = 2029182250
refresh = 10000 (2 hours 46 mins 40 secs)
retry = 2400 (40 mins)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)

Looks like you have an A-record and a CNAME-record. Perhaps Letsencrypt want’t to check something -> timeout.

Can you remove this CNAME?


#10

I just looked in my Cloudflare DNS configuration and there is no CNAME for gamecp.x2c0.net. https://i.imgur.com/XpOtJRd.jpg

Edit: Regardless, I don’t think the CNAME should matter - issuance of certificates for the same domain works on another VPS I tested @ DigitalOcean.


#11

The second log you posted shows the timeout occurring during the “finalize” request. Can you check if the same is true of all your attempts?


#12

Yes, it is the same.


#13

Thanks for this screenshot.

But there is a CNAME x2c0.net.

If Letsencrypt checks the CAA entry and doesn’t find one of gamecp.x2c0.net, then the next check is the CAA entry of x2c0.net. Perhaps there is a loop or something else.

Is it possible that you create a CAA entry for your subdomain? Then a CAA entry of x2c0.net would be ignored.


#14

Did you mean CNAME? If you did mean CAA how can I create one on Cloudflare? I keep getting an error about the flags field being required even though there is none.


#15

I don’t know if Letsencrypt follows CNAME entries when checking the CAA of the main domain. But I would try it to create a CAA-entry with your subdomain.

I don’t use Cloudflare. But share a screenshot.

https://sslmate.com/caa/

is a generator. The “Load Current Policy” is a good check. Some dns server are broken. Letsencrypt fails checking the CAA, sslmate reports an error.


#16

Seems CF’s mobile site is just bugged. It works perfect on my desktop. CAA record has been added https://i.imgur.com/3l1z2DI.jpg

Edit: Timeout continues to occur.


#17

@JuergenAuer Any update on this?


#18

I don’t know why you have a timeout.

If your log has the same informations (order and validation works, after uploading a Certificate signing request there is a timeout), it’s a problem that Letsencrypt doesn’t understand your Certificate signing request.


#19

So the problem would be on Letsencrypt’s side and not mine?


#20

Do you think this might be related to the fact that my internet-facing IP is tunneled (via wireguard + 1:1 nat with iptables)?