Error when creating new cert

Help
1

My domain is: www.pasem-sport.com

I ran this command: sudo certbot --apache OR sudo certbot -a webroot -i apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): admin@pasemc.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
SSLError: [Errno 2] No such file or directory
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
[root@t1kc-tempnew]# rpm -q httpd
httpd-2.4.6-89.el7.centos.x86_64

The operating system my web server runs on is (include version):
[root@t1kc-tempnew]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):
YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
[root@t1kc-tempnew]# certbot --version
certbot 0.31.0

additionally:
[root@t1kc-tempnew]# dig www.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1603
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 231 IN A 172.217.194.103
www.google.com. 231 IN A 172.217.194.106
www.google.com. 231 IN A 172.217.194.99
www.google.com. 231 IN A 172.217.194.104
www.google.com. 231 IN A 172.217.194.147
www.google.com. 231 IN A 172.217.194.105

;; Query time: 42 msec
;; SERVER: 67.207.67.2#53(67.207.67.2)
;; WHEN: Tue Apr 30 18:32:14 UTC 2019
;; MSG SIZE rcvd: 139

[root@t1kc-tempnew]# dig acme-v01.api.letsencrypt.org

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> acme-v01.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52560
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;acme-v01.api.letsencrypt.org. IN A

;; ANSWER SECTION:
acme-v01.api.letsencrypt.org. 2498 IN CNAME api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net. 19359 IN CNAME e14990.dscx.akamaiedge.net.
e14990.dscx.akamaiedge.net. 20 IN A 184.50.106.30

;; Query time: 43 msec
;; SERVER: 67.207.67.2#53(67.207.67.2)
;; WHEN: Tue Apr 30 18:33:35 UTC 2019
;; MSG SIZE rcvd: 158

Thanks a lot!

David

2

Hi @david

what't the content of /var/log/letsencrypt and there, the last file?

1 Like
3

Oh - checking your domain via https://check-your-website.server-daten.de/?q=pasem-sport.com there are critical answers:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
pasem-sport.com Refused yes 1 0
www.pasem-sport.com A 178.128.211.101 yes 1 0
AAAA yes

And checking CAA:

8. CAA - Entries

Domainname flag Name Value ∑ Queries ∑ Timeout
www.pasem-sport.com 0 no CAA entry found 1 0
pasem-sport.com -5 Refused - The name server refuses to perform the specified operation for policy reasons 1 0
com 0 no CAA entry found 1 0

Refused is always bad.

Letsencrypt checks the CAA entry -> refused -> no certificate.

4

Hi Juergen,

there you go:
sudo tail -100 /var/log/letsencrypt/letsencrypt.log

2019-04-30 18:15:08,615:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_centos.CentOSConfigurator object at 0x7f42fe87ef50> and installer <certbot_apache.override_centos.CentOSConfigurator object at 0x7f42fe87ef50>
2019-04-30 18:15:08,615:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2019-04-30 18:15:19,144:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-04-30 18:15:19,151:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-04-30 18:15:19,162:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.31.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1365, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1111, in run
le_client = _init_le_client(config, authenticator, installer)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 605, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 521, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 181, in register
acme = acme_from_config_key(config, key)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 51, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 814, in init
directory = messages.Directory.from_json(net.get(server).json())
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 1152, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 1101, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 464, in request
resp = self.send(prep, **send_kwargs)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 576, in send
r = adapter.send(request, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/adapters.py”, line 431, in send
raise SSLError(e, request=request)
SSLError: [Errno 2] No such file or directory
2019-04-30 18:15:19,169:ERROR:certbot.log:An unexpected error occurred:

5

Hi Juergen,

Not sure what should I do about the refused, but I did some changes on DO’s domain settings and added “pasem-sport.com” in to the NS record, does it look ok now?

however, I am still getting the same error though, can you give me some hints?..thanks for your time.

David

6

There is a newer check of your domain - https://check-your-website.server-daten.de/?q=pasem-sport.com - now there is no Refused.

Your Certbot - error - I don't understand it.

There

is an information - your OpenSSL configuration may be incomplete.

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.