Creating cert is failing

nephilim · July 25, 2018, 11:54am

Hello

I am trying to create new cert and receiving this error:

scripts $ sudo ./nc_cert.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Running pre-hook command: service nginx stop
Obtaining a new certificate
Running post-hook command: service nginx start
An unexpected error occurred:
ConnectionError: ('Connection aborted.', error("(104, 'ECONNRESET')",))

The command I use is this:

certbot certonly --quiet --pre-hook "service nginx stop" --post-hook "service nginx start" --standalone -n --rsa-key-size 4096 --agree-tos -m $EMAIL -d $DOMAIN --preferred-challenges http-01

Any idea what is going wrong here?

Kind regards
//neph

_az · July 25, 2018, 12:14pm

One piece of advice: stopping nginx like that and using standalone does not work reliably on all Linux platforms.

I highly recommend just using the nginx authenticator (or even webroot if nginx is too magical for you):

certbot certonly -a nginx -n --rsa-key-size 4096 --agree-tos -m $EMAIL -d $DOMAIN

Regarding the ECONNRESET, that’s certainly odd. If it continues to be an issue using the nginx authenticator, could you post your /var/log/letsencrypt.log? It would help to see whether the error came from talking to the Let’s Encrypt API server, and on what request.

nephilim · July 25, 2018, 2:25pm

could you post your /var/log/letsencrypt.log? It would help to see whether the error came from talking to the Let’s Encrypt API server, and on what request.

Here we go...

Logfile

2018-07-25 11:47:41,667:DEBUG:certbot.main:Root logging level set at 20
2018-07-25 11:47:41,672:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-07-25 11:47:41,677:DEBUG:certbot.main:certbot version: 0.10.2
2018-07-25 11:47:41,677:DEBUG:certbot.main:Arguments: ['--pre-hook', 'service nginx stop', '--post-hook', 'service n$
2018-07-25 11:47:41,681:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryP$
2018-07-25 11:47:41,683:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2018-07-25 11:47:43,407:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x73bd3a30>
Prep: True
2018-07-25 11:47:43,411:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authentic$
2018-07-25 11:47:43,453:DEBUG:certbot.main:Picked account: <Account(8c77119608d673ef07afe6f1a5661df5)>
2018-07-25 11:47:43,458:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-07-25 11:47:43,478:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.a$
2018-07-25 11:47:48,862:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET$
2018-07-25 11:47:48,866:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: Ig4pTrY-CsuHip1RBx5MSWHQW3VtsWfTZewfLCFxINw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 25 Jul 2018 11:47:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 25 Jul 2018 11:47:48 GMT
Connection: keep-alive

{
  "HU3VNUYtGd0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2018-07-25 11:47:48,869:INFO:certbot.hooks:Running pre-hook command: service nginx stop
2018-07-25 11:47:49,609:INFO:certbot.main:Obtaining a new certificate
2018-07-25 11:47:49,610:DEBUG:root:Requesting fresh nonce
2018-07-25 11:47:49,611:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2018-07-25 11:47:49,800:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEA$
2018-07-25 11:47:49,803:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: x-DFH8kXGgu_-uuXjYc-zzlBe9pvR-9dM4QQdN-kMlU
Expires: Wed, 25 Jul 2018 11:47:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 25 Jul 2018 11:47:49 GMT
Connection: keep-alive


2018-07-25 11:47:49,803:DEBUG:acme.client:Storing nonce: x-DFH8kXGgu_-uuXjYc-zzlBe9pvR-9dM4QQdN-kMlU
2018-07-25 11:47:49,805:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns",
    "value": "sub.domain.de"
  },
  "resource": "new-authz"
}
2018-07-25 11:47:50,013:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256",
    "jwk": {
      "e": "AQAB",
      "kty": "RSA",
      "n": "1l4F7t3awBbZ2n9A0YcMJ0hYWq_O3UyG7tiAwXnmmOwi4K5nbs9eirQtrNc3xlXDomP4V2VoXPb21hzdYGkfw2kxxrnZpZ3GFi-P_qsp$
    }
  },
  "protected": "eyJub25jZSI6ICJ4LURGSDhrWEdndV8tdXVYalljLXp6bEJlOXB2Ui05ZE00UVFkTi1rTWxVIn0",
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiY2xvdWQub3N0ZW9wYXRoaWUtbWVycm$
  "signature": "R-sNzmpby4m_Z2ZxZ4lACbyUcX4baE9QrsjbFoKi6V7oGqbgyt5t_5VgR3BCK8TrZwYjcUl1mmbR1eCOt4z0noCaWKCXaOGpNvxa$
}
2018-07-25 11:47:50,037:INFO:certbot.hooks:Running post-hook command: service nginx start
2018-07-25 11:47:50,978:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 67, in get_authorizations
    domain, self.account.regr.new_authzr_uri)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 216, in request_domain_challenges
    typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 196, in request_challenges
    new_authz)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 671, in post
      return self._post_once(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 682, in _post_once
    response = self._send_request('POST', url, data=data, **kwargs)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 614, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 473, in send
    raise ConnectionError(err, request=request)
ConnectionError: ('Connection aborted.', error("(104, 'ECONNRESET')",))

Kind regards
//neph

_az · July 25, 2018, 11:04pm

Thanks. As an experiment, could you trying the same with this /etc/hosts entry?

104.92.230.170    acme-v01.api.letsencrypt.org

The thinking is that there is a history of some clients having problems with some Akamai edges when POSTing a large request body, which can be avoided by using an edge in a different region.

The following may also help diagnostically:

mtr -c 20 --no-dns acme-v01.api.letsencrypt.org --report
curl -v --data "$(dd if=/dev/urandom bs=32767 count=1 | base64)" -m 10 -H "Pragma: akamai-x-get-cache-key, akamai-x-get-true-cache-key, akamai-x-get-request-id, akamai-x--meta-trace, akamai-x-get-nonces, akamai-x-get-ssl-client-session-id" https://acme-v01.api.letsencrypt.org/acme/new-authz

nephilim · July 26, 2018, 4:32am

Wow!

Adding 104.92.230.170 acme-v01.api.letsencrypt.org to /etc/hosts worked perfectly fine. No connection error. Cert has been created.

Thank you so much!

Kind regards
//neph

_az · July 26, 2018, 4:39am

I have some bad news for you: the IP addresses regularly change, so this workaround isn’t safe to use in the long term.

The problem could be on your ISPs side or maybe on Akamai side, it’s hard to know for sure. If you’re interested in resolving it permanently, you might want to tag isk or devnullsmyhappyplace with the diagnostic info I asked for earlier (after undoing the workaround).

nephilim · July 26, 2018, 4:51am

That's pitty. In a first thought I was thinking to write a script to take a way around.

I will provide the missing info after my vacation (one week). Indeed, I need a long term solution for this. But for now I have to leave. My wife behind me looks really angry.

Just one question left: When I ping the address from Windows, it returns this result:

C:\Users\neph>ping acme-v01.api.letsencrypt.org -4

Ping wird ausgeführt für e14990.dscx.akamaiedge.net [104.74.120.43] mit 32 Bytes Daten:
Antwort von 104.74.120.43: Bytes=32 Zeit=10ms TTL=59
Antwort von 104.74.120.43: Bytes=32 Zeit=8ms TTL=59
Antwort von 104.74.120.43: Bytes=32 Zeit=8ms TTL=59
Antwort von 104.74.120.43: Bytes=32 Zeit=9ms TTL=59

Ping-Statistik für 104.74.120.43:
    Pakete: Gesendet = 4, Empfangen = 4, Verloren = 0
    (0% Verlust),
Ca. Zeitangaben in Millisek.:
    Minimum = 8ms, Maximum = 10ms, Mittelwert = 8ms

But from Linux client, it looks this:

pi@pcf-cloud:/etc/letsencrypt $ ping acme-v01.api.letsencrypt.org
PING acme-v01.api.letsencrypt.org (104.92.230.170) 56(84) bytes of data.
64 bytes from acme-v01.api.letsencrypt.org (104.92.230.170): icmp_seq=1 ttl=57 time=103 ms
64 bytes from acme-v01.api.letsencrypt.org (104.92.230.170): icmp_seq=2 ttl=57 time=102 ms
64 bytes from acme-v01.api.letsencrypt.org (104.92.230.170): icmp_seq=3 ttl=57 time=102 ms
64 bytes from acme-v01.api.letsencrypt.org (104.92.230.170): icmp_seq=4 ttl=57 time=102 ms
64 bytes from acme-v01.api.letsencrypt.org (104.92.230.170): icmp_seq=5 ttl=57 time=102 ms
64 bytes from acme-v01.api.letsencrypt.org (104.92.230.170): icmp_seq=6 ttl=57 time=102 ms
64 bytes from acme-v01.api.letsencrypt.org (104.92.230.170): icmp_seq=7 ttl=57 time=103 ms
64 bytes from acme-v01.api.letsencrypt.org (104.92.230.170): icmp_seq=8 ttl=57 time=104 ms
64 bytes from acme-v01.api.letsencrypt.org (104.92.230.170): icmp_seq=9 ttl=57 time=103 ms
64 bytes from acme-v01.api.letsencrypt.org (104.92.230.170): icmp_seq=10 ttl=57 time=102 ms
64 bytes from acme-v01.api.letsencrypt.org (104.92.230.170): icmp_seq=11 ttl=57 time=103 ms
^C
--- acme-v01.api.letsencrypt.org ping statistics ---
11 packets transmitted, 11 received, 0% packet loss, time 10013ms
rtt min/avg/max/mdev = 102.174/103.000/104.170/0.675 ms

Why do the addresses differ?

Kind regards
//neph

_az · July 26, 2018, 4:54am

It's not surprising for the IPs to differ - it's just a characteristic of Let's Encrypt's CDN.

MurkyBiscuits · July 30, 2018, 6:00pm

In case it’s helpful, I reliably had the same problem with one particular cert until I made the manual /etc/hosts change advised above. Here is the output and log information from when it failed:

certbot certonly --non-interactive --agree-tos --email re@dacted --force-renewal --webroot -w /var/lib/certbot/greensfelder -d www.greensfelder.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
An unexpected error occurred:
ZeroReturnError
Please see the logfiles in /var/log/letsencrypt for more details.

2018-07-30 09:39:51,534:DEBUG:certbot.main:Root logging level set at 20
2018-07-30 09:39:51,534:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-07-30 09:39:51,534:DEBUG:certbot.main:certbot version: 0.10.2
2018-07-30 09:39:51,534:DEBUG:certbot.main:Arguments: ['--non-interactive', '--agree-tos', '--email', 're@dacted', '--force-renewal', 
'--webroot', '-w', '/var/lib/certbot/greensfelder', '-d', 'www.greensfelder.com']
2018-07-30 09:39:51,535:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,Plu
ginEntryPoint#standalone)
2018-07-30 09:39:51,535:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-07-30 09:39:51,537:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f9eb0bdaf50>
Prep: True
2018-07-30 09:39:51,537:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f9eb0bdaf50> and insta
ller None
2018-07-30 09:39:51,586:DEBUG:certbot.main:Picked account: <Account(8cd0f1c552599e66524ce0bf01701b70)>
2018-07-30 09:39:51,587:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-07-30 09:39:51,592:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-07-30 09:39:51,707:DEBUG:urllib3.connectionpool:"GET /directory HTTP/1.1" 200 658
2018-07-30 09:39:51,708:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
expires: Mon, 30 Jul 2018 09:39:51 GMT
server: nginx
connection: keep-alive
pragma: no-cache
cache-control: max-age=0, no-cache, no-store
date: Mon, 30 Jul 2018 09:39:51 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: REDACTED

{
  "J9R-gXjDQ-s": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
2018-07-30 09:39:52,148:INFO:certbot.main:Obtaining a new certificate
2018-07-30 09:39:52,148:DEBUG:root:Requesting fresh nonce
2018-07-30 09:39:52,148:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz.
2018-07-30 09:39:52,178:DEBUG:urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2018-07-30 09:39:52,179:DEBUG:acme.client:Received response:
HTTP 405
content-length: 91
pragma: no-cache
expires: Mon, 30 Jul 2018 09:39:52 GMT
server: nginx
connection: keep-alive
allow: POST
cache-control: max-age=0, no-cache, no-store
date: Mon, 30 Jul 2018 09:39:52 GMT
content-type: application/problem+json
replay-nonce: REDACTED


2018-07-30 09:39:52,179:DEBUG:acme.client:Storing nonce: REDACTED
2018-07-30 09:39:52,180:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "www.greensfelder.com"
  }, 
  "resource": "new-authz"
}
2018-07-30 09:39:52,182:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "header": {
    "alg": "RS256", 
    "jwk": {
      "e": "AQAB", 
      "kty": "RSA", 
      "n": "REDACTED"
    }
  }, 
  "protected": "REDACTED", 
  "payload": "REDACTED", 
  "signature": "cPOtnAePI8JDnWMg47RBfZtsmMpfHcfy3FAeUZ5nvhsZ_uP7akNFT5ATm3P_hGe72t1eE_iDD4LJho_JvKb-uvzk3tTcCE7ed_nLTulzocF3GbgAqUb7qXJgWKcg_9h3tA5OuCGOJ
ku5zqCOdXyixRisvUjLoRurFt2wKRzCmHju2ChDHW-n6A0WQf6cIarLAT_k3PEI7nUWhHTYkGrzMGCBuP8y11JU5reS-Q_t1t3O_pXAyr52b94lIAJHRASwFgJBC3p94EuMGmvvxwhIAP4YKvfTQ5kLYz
MTkU-e29FfGeq7gki7QuCNZWniU2e3W0hWyveq0euvjI8puVx2Fw"
}
2018-07-30 09:39:52,301:DEBUG:urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 None
2018-07-30 09:39:52,348:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 67, in get_authorizations
    domain, self.account.regr.new_authzr_uri)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 216, in request_domain_challenges
    typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 196, in request_challenges
    new_authz)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 671, in post
    return self._post_once(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 682, in _post_once
    response = self._send_request('POST', url, data=data, **kwargs)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 614, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 457, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 606, in send
    r.content
  File "/usr/lib/python2.7/dist-packages/requests/models.py", line 724, in content
    self._content = bytes().join(self.iter_content(CONTENT_CHUNK_SIZE)) or bytes()
  File "/usr/lib/python2.7/dist-packages/requests/models.py", line 653, in generate
    for chunk in self.raw.stream(chunk_size, decode_content=True):
  File "/usr/lib/python2.7/dist-packages/urllib3/response.py", line 256, in stream
    data = self.read(amt=amt, decode_content=decode_content)
  File "/usr/lib/python2.7/dist-packages/urllib3/response.py", line 186, in read
    data = self._fp.read(amt)
  File "/usr/lib/python2.7/httplib.py", line 602, in read
    s = self.fp.read(amt)
  File "/usr/lib/python2.7/socket.py", line 380, in read
    data = self._sock.recv(left)
  File "/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 188, in recv
    data = self.connection.recv(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 1321, in recv
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 1171, in _raise_ssl_error
    raise ZeroReturnError()
ZeroReturnError

nephilim · August 9, 2018, 6:24am

Hello

here the promised evaluations...

pi@pcf-cloud:~ $ sudo mtr -c 20 --no-dns acme-v01.api.letsencrypt.org --report
sudo: mtr: command not found
pi@pcf-cloud:~ $

pi@pcf-cloud:~ $ sudo curl -v --data "$(dd if=/dev/urandom bs=32767 count=1 | base64)" -m 10 -H "Pragma: akamai-x-get-cache-key, akamai-x-get-true-cache-key, akamai-x-get-request-id, akamai-x--meta-trace, akamai-x-get-nonces, akamai-x-get-ssl-client-session-id" https://acme-v01.api.letsencrypt.org/acme/new-authz
1+0 records in
1+0 records out
32767 bytes (33 kB, 32 KiB) copied, 0.0017538 s, 18.7 MB/s
*   Trying 104.92.230.170...
* TCP_NODELAY set
* Connected to acme-v01.api.letsencrypt.org (104.92.230.170) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Aug  3 01:36:30 2018 GMT
*  expire date: Nov  1 01:36:30 2018 GMT
*  subjectAltName: host "acme-v01.api.letsencrypt.org" matched cert's "acme-v01.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> POST /acme/new-authz HTTP/1.1
> Host: acme-v01.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
> Pragma: akamai-x-get-cache-key, akamai-x-get-true-cache-key, akamai-x-get-request-id, akamai-x--meta-trace, akamai-x-get-nonces, akamai-x-get-ssl-client-session-id
> Content-Length: 44266
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
< X-Akamai-SSL-Client-Sid: yQHTC4nbwM+eBUknVoIizA==
< X-Akamai-Request-ID: f2e2ab1.775b191
< Expires: Thu, 09 Aug 2018 06:21:25 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< X-Cache-Key: S/D/16382/432721/000/origin-34m95R0iVz8wRaPHi.api.letsencrypt.org/acme/new-authz
< X-Cache-Key-Extended-Internal-Use-Only: S/D/16382/432721/000/origin-34m95R0iVz8wRaPHi.api.letsencrypt.org/acme/new-authz
< X-True-Cache-Key: /D/000/origin-34m95R0iVz8wRaPHi.api.letsencrypt.org/acme/new-authz
< X-Akamai-SSL-Client-Sid: SY/Yiq5X/SX2X/vAjKKzJw==
* We are completely uploaded and fine
< HTTP/1.1 400 Bad Request
< Server: nginx
< Content-Type: application/problem+json
< Content-Length: 96
< Replay-Nonce: ofdGZZ6ywfoGQ8S3UJQxriInPrALYksTE453YayE2DA
< X-Akamai-SSL-Client-Sid: yQHTC4nbwM+eBUknVoIizA==
< X-Akamai-Request-ID: f2e2ab1.775b191
< Expires: Thu, 09 Aug 2018 06:21:25 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Thu, 09 Aug 2018 06:21:25 GMT
< X-Cache-Key: S/D/16382/432721/000/origin-34m95R0iVz8wRaPHi.api.letsencrypt.org/acme/new-authz
< X-Cache-Key-Extended-Internal-Use-Only: S/D/16382/432721/000/origin-34m95R0iVz8wRaPHi.api.letsencrypt.org/acme/new-authz
< X-True-Cache-Key: /D/000/origin-34m95R0iVz8wRaPHi.api.letsencrypt.org/acme/new-authz
< X-Akamai-SSL-Client-Sid: SY/Yiq5X/SX2X/vAjKKzJw==
< Connection: close
<
{
  "type": "urn:acme:error:malformed",
  "detail": "Parse error reading JWS",
  "status": 400
* Curl_http_done: called premature == 0
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
}pi@pcf-cloud:~ $

That's it. Anything helpful to see from this?

Kind regards
//neph

mnordhoff · August 9, 2018, 6:28am

Can you install it? Most OSes should have an mtr package. On anything Debian-ish you can "sudo apt-get install mtr-tiny".

system · September 8, 2018, 6:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.