Error generating certificate in Rocky Linux 9 - httpd + letsencrypt settings

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
tortuga.etpi.com.br

I ran this command:
certbot --apache

It produced this output:
"An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f7884248ee0>: Failed to establish a new connection: [Errno -2] Name or service not known'))"

My web server is (include version):
httpd

The operating system my web server runs on is (include version):
rocky linux 9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.6.0

================================================================

I used to use Centos 7, but now I'm using Rocky Linux 9 - but it's all new to me lol - I'm not sure if the settings I made in httpd in relation to Certbot are correct, I access the crt.sh website and see that they exist the certificate there, but my url doesn't get the padlock (certificate)

[image]

****** LOG LETS: ***********

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/bin/certbot", line 8, in
sys.exit(main())
File "/usr/lib/python3.9/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1440, in run
le_client = _init_le_client(config, authenticator, installer)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 835, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 297, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key
directory = acme_client.ClientV2.get_directory(config.server, net)
File "/usr/lib/python3.9/site-packages/acme/client.py", line 331, in get_directory
return messages.Directory.from_json(net.get(url).json())
File "/usr/lib/python3.9/site-packages/acme/client.py", line 706, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3.9/site-packages/acme/client.py", line 648, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 544, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 657, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 516, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f580fe5af10>: Failed to establish a new connection: [Errno -2] Name or service not known'))
2024-03-11 09:10:14,447:ERROR:certbot._internal.log:An unexpected error occurred:
2024-03-11 09:10:14,448:ERROR:certbot._internal.log:requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f580fe5af10>: Failed to establish a new connection: [Errno -2] Name or service not known'))

=================================================================

Could anyone help me with trying to locate the error and correct it, as I said, I'm new to Rocky Linux 9.

**** Note: ***** I had created the commands to generate Openssl ( openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/httpd.key -x509 -days 730 -out /etc/pki/tls/certs/ httpd.crt ), but I'm not sure if I needed to run this command.

Thank you for your personal help.

[image]

1 Like

Please show:

netstat -nr
OR
ip route

nslookup acme-v02.api.letsencrypt.org
OR
dig acme-v02.api.letsencrypt.org

traceroute -T -p 443 www.google.com
traceroute -T -p 443 acme-v02.api.letsencrypt.org
2 Likes

[root@tortuga logs]# traceroute -T -p 443 www.google.com

www.google.com: Name or service not known
Cannot handle "host" cmdline arg `www.google.com' on position 1 (argc 4)
[root@tortuga logs]# systemctl stop iptables

[root@tortuga logs]# traceroute -T -p 443 www.google.com
traceroute to www.google.com (142.250.203.100), 30 hops max, 60 byte packets
1 ip-173-212-238-3.static.contabo.net (173.212.238.3) 0.864 ms 0.804 ms ip-1-75-136-213.static.contabo.net (213.136.75.1) 5.028 ms
2 et-0-0-16.edge4.Munich1.Level3.net (212.162.5.145) 3.421 ms et-5-0-26.edge8.Frankfurt1.Level3.net (62.67.36.137) 8.739 ms et-0-0-16.edge4.Munich1.Level3.net (212.162.5.145) 3.377 ms
3 ffm-bb1-link.ip.twelve99.net (62.115.113.146) 3.972 ms * 3.942 ms
4 142.251.65.131 (142.251.65.131) 9.095 ms 142.250.165.106 (142.250.165.106) 6.779 ms 142.251.48.235 (142.251.48.235) 8.282 ms
5 216.239.43.250 (216.239.43.250) 6.148 ms 142.251.65.131 (142.251.65.131) 10.207 ms google-ic-319726.ip.twelve99-cust.net (62.115.151.25) 3.755 ms
6 216.239.40.147 (216.239.40.147) 10.509 ms 216.239.43.250 (216.239.43.250) 6.204 ms 108.170.236.173 (108.170.236.173) 15.508 ms
7 216.239.42.174 (216.239.42.174) 4.587 ms 192.178.109.216 (192.178.109.216) 4.382 ms 216.239.42.174 (216.239.42.174) 4.605 ms
8 142.251.77.51 (142.251.77.51) 12.802 ms 142.250.231.128 (142.250.231.128) 13.263 ms *
9 142.250.231.128 (142.250.231.128) 11.064 ms 209.85.249.56 (209.85.249.56) 11.894 ms 192.178.74.178 (192.178.74.178) 10.128 ms
10 142.251.77.51 (142.251.77.51) 10.273 ms 142.251.77.145 (142.251.77.145) 12.721 ms zrh04s16-in-f4.1e100.net (142.250.203.100) 14.016 ms

========================================================

I noticed that iptables is blocking my access... But I had already released the ssh, http, https ports in iptables. But when start it blocks even dnf install

Looks like you're also blocking DNS.

1 Like

HI
I think so too, but I was unsure about trying to change it and make the server situation worse lol But would I have to change DNS on tcp-only port 53?

[image]

DNS is also using UDP (primarily with backup to TCP for larger packets).

2 Likes

[root@tortuga logs]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?
We recommend selecting either all domains, or all domains in a VirtualHost/server block.


1: tortuga.etpi.com.br


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/tortuga.etpi.com.br.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for tortuga.etpi.com.br

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/tortuga.etpi.com.br/fullchain.pem
Key is saved at: /etc/letsencrypt/live/tortuga.etpi.com.br/privkey.pem
This certificate expires on 2024-06-09.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for tortuga.etpi.com.br to /etc/httpd/sites-enabled/server.conf
Your existing certificate has been successfully renewed, and the new certificate has been installed.


If you like Certbot, please consider supporting our work by:


===========================================================

***** Logs /var/log/letsencrypt/letsencrypt.log:

2024-03-11 16:07:30,973:DEBUG:certbot._internal.display.obj:Notifying user: Deploying certificate
2024-03-11 16:07:31,059:DEBUG:certbot.reverter:Creating backup of /etc/httpd/sites-enabled/server.conf
2024-03-11 16:07:31,342:INFO:certbot_apache._internal.configurator:Deploying Certificate to VirtualHost /etc/httpd/sites-enabled/server.conf
2024-03-11 16:07:31,342:DEBUG:certbot._internal.display.obj:Notifying user: Successfully deployed certificate for tortuga.etpi.com.br to /etc/httpd/sites-enabled/server.conf
2024-03-11 16:07:31,717:DEBUG:certbot.reverter:Creating backup of /etc/httpd/sites-enabled/server.conf
2024-03-11 16:07:31,755:INFO:certbot_apache._internal.configurator:Redirecting vhost in /etc/httpd/sites-enabled/server.conf to ssl vhost in /etc/httpd/sites-enabled/server.conf
2024-03-11 16:07:31,921:DEBUG:certbot._internal.display.obj:Notifying user: Your existing certificate has been successfully renewed, and the new certificate has been installed.
2024-03-11 16:07:31,922:DEBUG:certbot._internal.display.obj:Notifying user: If you like Certbot, please consider supporting our work by:

================================================================

even the certificate running the url doesn't get letsencrypt, I just re-performed the certificate (certbot --apache) and renewed it (I stopped apache)

[image]

HTTPS requests to your domain see a self-signed cert and not the Let's Encrypt cert.

Let's look at your Apache config. Do you also have a firewall device that might be intercepting inbound requests?

Please show this

sudo httpd -t -D DUMP_VHOSTS

Here is the cert currently used. Do you recognize it?

subject=C = US, O = Unspecified, CN = tortuga.etpi.com.br, emailAddress (redacted)@tortuga.etpi.com.br
issuer=C = US, O = Unspecified, OU = ca-8521763988867727100, CN = tortuga.etpi.com.br, emailAddress = (redacted)@tortuga.etpi.com.br
notBefore=Mar  4 15:51:32 2024 GMT
notAfter=Mar  4 15:51:32 2025 GMT
serial=657FF3D683FD7666
3 Likes

I would like to remove the Self-Signed Certificate and leave only Letsencrypt, how do I remove the self-signed certificate so that it does not interfere with Letsencrypt?

=============================================================

[root@tortuga admin]# sudo httpd -t -D DUMP_VHOSTS

VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server localhost (/etc/httpd/sites-enabled/localhost.conf:1)
         port 80 namevhost localhost (/etc/httpd/sites-enabled/localhost.conf:1)
                 alias localhost
         port 80 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:1)
         port 80 namevhost localhost (/etc/httpd/sites-enabled/localhost.conf:1)
                 alias localhost
         port 80 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:1)
         port 80 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/tortuga.epti.com.br:1)
*:443                  is a NameVirtualHost
         default server tortuga.etpi.com.br (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost tortuga.etpi.com.br (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:9)
         port 443 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/server.conf:9)
         port 443 namevhost tortuga.etpi.com.br (/etc/httpd/sites-enabled/tortuga.epti.com.br:6)

Oh my :slight_smile: You should have one and only one VirtualHost for that domain name. You have a similar problem with your port 80 VirtualHosts

I am guessing you have some kind of configurator which has gone wrong. How do you manage those? We can walk through manual changes but if your configurator just overwrites them that won't help.

3 Likes

Do you think I should remove some of these config *.conf (localhost.conf and server.conf)?

lrwxrwxrwx 1 root root 41 Mar 4 11:58 localhost.conf -> /etc/httpd/sites-available/localhost.conf
lrwxrwxrwx 1 root root 38 Mar 4 11:58 server.conf -> /etc/httpd/sites-available/server.conf
lrwxrwxrwx 1 root root 46 Mar 4 11:58 tortuga.epti.com.br -> /etc/httpd/sites-available/tortuga.epti.com.br

==========================================================

How do I manually configure it to get the letsencrypt certificate? This server will have other sites in the future

Would you like to see the VirtualHost settings? tortuga.etpi.com.br or server.conf or localhost.conf?

Thank you very much for the tips and how to solve this problem

Only you would know if you need those or not.

2 Likes

Guys, I wanted to say that you can change the settings on the available website and along with the path that the certificate allows for encryption, take the ssl.conf files and be able to resolve it, now my url has the certificate that allows for encryption. If anyone wants to show the changes, I can show them. I thank everyone who helped me and took the time to help me, I am very grateful.

[image]

1 Like

Glad you fixed your problem.

Let's Encrypt does not have any settings for your active website. It provides your cert files but after that all the configuration is done on your server.

2 Likes

Changes to the SS.conf file settings (/etc/httpd/conf.d/ folder) and virtualhost as well.

Original (#) and change (>):
#SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateFile /etc/letsencrypt/live/tortuga.etpi.com.br/fullchain.pem

Server private key:

If the key is not matched to the certificate, use this

directive to point to the key file. Keep in mind that if

you have an RSA private key and a DSA that you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

ECC switches, when in use, can also be configured in parallel

#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

SSLCertificateKeyFile /etc/letsencrypt/live/tortuga.etpi.com.br/privkey.pem

Server certificate chain:

Point SSLCertificateChainFile to a file containing the

concatenation of PEM-encoded CA certificates that form the

certificate chain for the server certificate. alternatively

the referenced file can be the same as SSLCertificateFile

when CA certificates are attached directly to the server

certified for convenience.

#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

SSLCertificateChainFile /etc/letsencrypt/live/tortuga.etpi.com.br/fullchain.pem

and made changes to the VirtualHost file.

Now ask a question, if I have sites (urls) on the same server, same IP and different urls to have the let encrypt certificate, how will I do it? I had this doubt

The Apache VirtualHost determines which VHost handles the incoming request. It matches the incoming domain name to its VHost. Usually this is SNI (name based) matching although Apache also support IP based which is best avoided. See the Apache docs for details.

If you really mean different URLs for the same domain name then those are handled with location statements or similar within the VHost for that domain. Again, see the Apache docs.

The below command is always helpful to use to view your VirtualHosts and whether they are name-based (SNI) or not. Yours were NameVirtualHost so using the SNI name-based method - which sounds right for your situation and is very common.

2 Likes

MakeMcQ, thank you very much for your help and tips, I am very grateful. I'll be checking and reading the Apache documentation.

[image]

2 Likes