Error al instalar certbot en apache

Saludos,

Tengo un VPS ubuntu 18.04 en el que tengo un proyecto en Django 2 con python 3.6, el cual fue lanzado en enero de 2021 con su certificado SSL creado con certbot-auto y con auto-renovación a través de un crontab. Todo funcionó bien hasta el 28 de septiembre de 2021, el certificado no se renovó y cuando intento hacerlo, recibo un mensaje de que certbot-auto ahora está obsoleto. Sigo las recomendaciones del enlace Certbot - Ubuntubionic Apache Desinstalé el certbot-auto y al ingresar cualquiera de los comandos sudo certbot --apache o sudo certbot certonly --apache y luego ingresar el correo, me aparece el siguiente mensaje:

An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=4 43): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HT TPSConnection object at 0x7f5679da1af0>: Failed to establish a new connection: [Errno -2] Name or se rvice not known'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/ letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Agradezco mucho sus comentarios.

Saludos.

Hola @JoseJavierCB,

¿Este servidor tiene acceso al Internet? ¿Hay un firefall específico a la aplicación que permite sólo algunos programas a accesar el Internet?

El mensaje dice que no pudo establecer una conexión con la AC. ¿Puede intentar eso en el mismo servidor?

curl -v https://acme-v02.api.letsencrypt.org/

Saludos, si tiene acceso a internet, pero no estoy seguro si tiene algún firewall, debería tener, ya que soy un programador externo y me dieron acceso a uno de sus servidores.

Al correr el comando curl -v https://acme-v02.api.letsencrypt.org/ obtengo el siguiente resultado:

Gracias por tus comentarios.

I have a Ubuntu 18.04 VPS in which I have a project in Django 2 with python 3.6, which was released in January 2021 with its SSL certificate created with certbot-auto and with auto-renewal through a crontab. Everything worked fine until Sep 28, 2021, the certificate was not renewed and when I try to do so I get a message that certbot-auto is now out of date. I follow the recommendations of the link Certbot - Ubuntubionic Apache I uninstalled the certbot-auto and entering any of the commands ** sudo certbot --apache ** or ** sudo certbot certonly - -apache ** and then enter the mail, the following message appears:

An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=4 43): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HT TPSConnection object at 0x7f5679da1af0>: Failed to establish a new connection: [Errno -2] Name or se rvice not known'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/ letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

I appreciate your comments and help in advance. Greetings.

As a test, can you please try:
curl -I http://acme-v02.api.letsencrypt.org/directory
wget --delete-after https://acme-v02.api.letsencrypt.org/directory

and show the output of:
openssl version
certbot --version

Also, did you follow these steps when replacing certbot-auto with certbot ?
Certbot - Ubuntubionic Other (eff.org)
[especially step #3]

root@iothublat:/# curl -I http://acme-v02.api.letsencrypt.org/directory
HTTP/1.1 200 OK
Date: Sat, 16 Oct 2021 20:24:25 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 2051
X-Frame-Options: SAMEORIGIN
Vary: Cookie,Accept-Encoding
Content-Type: text/html; charset=utf-8

root@iothublat:/# wget --delete-after https://acme-v02.api.letsencrypt.org/directory
--2021-10-16 15:25:40-- https://acme-v02.api.letsencrypt.org/directory
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)... 190.63.195.77, 172.20.0.12
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|190.63.195.77|:443... connected.
OpenSSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Unable to establish SSL connection.

root@iothublat:/# openssl version
OpenSSL 1.1.1 11 Sep 2018

root@iothublat:/# certbot --version
certbot 0.31.0

Thanks for your help.

Thank you very much for your help, I did what you mention but when installing step 7, I get the following error:

root@iothublat:/usr/local/bin# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): soporte@javiercb.com
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1131)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

There is a problem with your DNS.
Those IPs are NOT from LE.
The second IP is within RFC-1918.

[did someone say MITM - DNS hijack ?]

Try:
wget --no-check-certificate --delete-after https://172.65.32.248/directory

These are the IPs I see:

Name:      ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Addresses: 2606:4700:60:0:f53d:5624:85c7:3a2c
           172.65.32.248
Aliases:   acme-v02.api.letsencrypt.org
           prod.api.letsencrypt.org

root@iothublat:/# wget --no-check-certificate --delete-after https://172.65.32.248/directory
--2021-10-16 18:56:33-- https://172.65.32.248/directory
Connecting to 172.65.32.248:443... connected.
WARNING: certificate common name ‘acme-v02.api.letsencrypt.org’ doesn't match requested host name ‘172.65.32.248’.
HTTP request sent, awaiting response... 200 OK
Length: 583 [application/json]
Saving to: ‘directory.tmp’

directory.tmp 100%[============================================================================>] 583 --.-KB/s in 0s

2021-10-16 18:56:34 (36.6 MB/s) - ‘directory.tmp’ saved [583/583]

Removing directory.tmp.

But when trying to install again:
root@iothublat:/# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): soporte@javiercb.com
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1131)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

So your problem is DNS.

Thanks for answering, I tell you that I only have access to the VPS console, I do not control anything else, so I know little about this, I would like to know if I can do something from the VPS, or it is already an external one that I have control over, for example, some configuration in the domain and I do not control it?

1 Like

You would have to speak with your Hosting Service Provider (HSP).
It is the DNS servers being used by the VPS that needs to be corrected.

Ready, Thanks...

1 Like