Error when renewing cert: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:1131)')))

My domain is: websitesbynihal.com

I ran this command: certbot renew

It produced this output:


Processing /etc/letsencrypt/renewal/websitesbynihal.com.conf


Failed to renew certificate websitesbynihal.com with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:1131)')))


All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/websitesbynihal.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
NodeJS v12.22.5
The operating system my web server runs on is (include version):
Debian GNU/Linux 11 (bullseye) [Raspberry Pi 4]
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.27.0

Looks like https://letsdebug.net/websitesbynihal.com/1548974 is showing inaccessible Port 80, which is needed for the HTTP-01 challenge.

2 Likes

Can you test outbound connections for us? What do these show?

curl -I https://acme-v02.api.letsencrypt.org/directory

curl -I https://google.com
4 Likes

curl -I https://acme-v02.api.letsencrypt.org/directory:
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

curl -I https://google.com:
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to google.com:443

Looks like you have some general problem with outbound connections.

Get those working first and try getting the cert once that is fixed.

5 Likes

Is IPv6 enabled?

5 Likes

Yes, it is.

It seems to be a general issue that my pi can't access the internet, but can access my local network. Thanks for setting me down the right path!

2 Likes

I'd start by fixing, or disabling, or deprioritize, IPv6.
Try these:
curl -I6 https://google.com
curl -I4 https://google.com

5 Likes

With the I6 flag I got this:
curl: (7) Couldn't connect to server

Whereas with the I4 flag I got this, like before:
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to google.com:443

That's worse that I expected.
IPv6 fails hard.
And IPv4 isn't much better.

What shows?:
openssl version

4 Likes

OpenSSL 1.1.1n 15 Mar 2022

Show the output of:
openssl s_client -connect www.google.com:443
[then press ctrl-c to breakout of that]

4 Likes
CONNECTED(00000003)                                     write:errno=0
---                                                     no peer certificate available                           ---                                                     No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 306 bytes
Verification: OK
---                                                     New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE                                       Expansion: NONE
No ALPN negotiated                                      Early data was not sent
Verify return code: 0 (ok)

There should have been a lot more output.
Like:

CONNECTED(000001FC)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=www.google.com
   i:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
 1 s:/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
   i:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
 2 s:/C=US/O=Google Trust Services LLC/CN=GTS Root R1
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVTCCBD2gAwIBAgIRAMcB3DnmaZnUCe6Z/GPunV0wDQYJKoZIhvcNAQELBQAw
RjELMAkGA1UEBhMCVVMxIjAgBgNVBAoTGUdvb2dsZSBUcnVzdCBTZXJ2aWNlcyBM
TEMxEzARBgNVBAMTCkdUUyBDQSAxQzMwHhcNMjMwNjE5MDgyMTIwWhcNMjMwOTEx
MDgyMTE5WjAZMRcwFQYDVQQDEw53d3cuZ29vZ2xlLmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMPpMjwDLx7Eg7dNc9Qfbzou70P3qm15bFW4vCKt
yf2XfMNhE9F8FDL/CtdDDGiIWoS3CKprYkk+GjLMJJEqpYTuMXiH39WTDwCeNP+W
a5vQmlVdmJsSNSNVUzmJeLWRkWAa3836leaFGSeN2Zqr+ymoCoJu+YJBLnQODWTs
JESB9pZrI0eeWRGnwXUHQey+hTSbrCKeRn0Bnn1DoNsEotNNTRYh+cdhBLpVZfeN
93RMA1N755AkO1qM96BxVuVoc+wWxupDPgVeZe9ksavLd1YRwYFFXfoXFGDF9qzf
crWhUKyQZ6gY97zgrqiRGy/dZkVrZbFowmnkbtFGYqDwpckCAwEAAaOCAmkwggJl
MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E
AjAAMB0GA1UdDgQWBBQCzYvERqTmeBIYQpdg1AXbTJHVFDAfBgNVHSMEGDAWgBSK
dH+vhc3ulc09nNDiRhTzcTUdJzBqBggrBgEFBQcBAQReMFwwJwYIKwYBBQUHMAGG
G2h0dHA6Ly9vY3NwLnBraS5nb29nL2d0czFjMzAxBggrBgEFBQcwAoYlaHR0cDov
L3BraS5nb29nL3JlcG8vY2VydHMvZ3RzMWMzLmRlcjAZBgNVHREEEjAQgg53d3cu
Z29vZ2xlLmNvbTAhBgNVHSAEGjAYMAgGBmeBDAECATAMBgorBgEEAdZ5AgUDMDwG
A1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmxzLnBraS5nb29nL2d0czFjMy9RT3ZK
ME4xc1QyQS5jcmwwggEGBgorBgEEAdZ5AgQCBIH3BIH0APIAdwCt9776fP8QyIud
PZwePhhqtGcpXc+xDCTKhYY069yCigAAAYjS9XYOAAAEAwBIMEYCIQD1P0TLMct/
iorqVzGs2gbwTmTBQ/8PcJNglGT3nVZs+wIhAMmuCmaiIo0AXSeWj3wnSwHAy1fx
k0ZICiMiCDRQmcCBAHcAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoA
AAGI0vV15wAABAMASDBGAiEAnyNB8q/gdbfOlINy980lD6b75VgpZ1JYR74OX8Lx
q34CIQDOlvVVYTDOj/eFMG1Aa9iiyj5nRU14NYVmVghYJm4otTANBgkqhkiG9w0B
AQsFAAOCAQEARRDA4T+KyIqfxX2cwkBLJaqfne9xu38gufzF1pMSMbRUQcPGARiE
s1GajCZTeGndDH0W2S8SmJgHw1+7JnR3Y2bQfrj7OZquyz9ekpeOlVYVqDOJUMI6
BHyiUnoE+iiAcvG+IeV2T1tg8ZcwzLGhhl1Wc7hIkcpTTQdGnU7RrOPOEvb5PcxU
KqAdOqYIrwHb+ZNrBbt383YXFBGayS/NiTftPNPCenur1fOVLO4qSRLelYh/LODV
Bt0iUxOASJSOVMKlI4GlIXkM5pEuEe1VoYqZFPT9aCSQ9WmaWeAMwsE3Q7muRBsD
7wEUAGe8nxlOmJqGJf8AbXGLFlSyCRkghA==
-----END CERTIFICATE-----
subject=/CN=www.google.com
issuer=/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4875 bytes and written 261 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    Session-ID: 92CF9F6C28BE96281101285177F4AE9AA988043A870409987F1787110D516682
    Session-ID-ctx:
    Master-Key: 0A955EA71DDC7382C5BE2A5987B01D7359DD430AC60F3B249366C3F96DD2E04B67C47BA6250F8AB9B0198042C0B0817A
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:
    0000 - 02 b5 b8 30 00 14 2c be-01 77 e4 2d ff b2 95 9b   ...0..,..w.-....
    0010 - 3c 47 3b cc b7 89 17 65-21 b6 0e 2c 74 1e 47 59   <G;....e!..,t.GY
    0020 - f1 d5 62 c2 7a 91 0d a2-2d 2b 9f 72 96 56 b1 31   ..b.z...-+.r.V.1
    0030 - c7 b4 ea 0b 50 12 ad 60-66 3a 0c 37 75 ca 2e f0   ....P..`f:.7u...
    0040 - 1e d8 b7 54 8f e4 9d 03-26 6a a4 13 05 0a 29 6d   ...T....&j....)m
    0050 - 42 69 5a 8d 5b b4 96 bf-44 50 bb 85 b5 49 67 06   BiZ.[...DP...Ig.
    0060 - 98 20 e0 5e f4 67 97 94-63 de ce 90 ba 35 50 b6   . .^.g..c....5P.
    0070 - eb b1 49 d4 69 48 af 4a-61 bb a7 7b 80 70 c7 35   ..I.iH.Ja..{.p.5
    0080 - 93 71 5f 5c 01 6a 7f 8b-ef 75 2e 35 91 9c 07 0e   .q_\.j...u.5....
    0090 - eb 72 eb f8 53 08 36 a2-3d b8 f8 b0 28 d9 60 5a   .r..S.6.=...(.`Z
    00a0 - e6 0b cd 14 90 06 89 17-53 b5 94 bb 20 3f 58 cf   ........S... ?X.
    00b0 - d6 3e 03 ca 1a 33 71 4b-29 62 9c 8d db 53 c7 6f   .>...3qK)b...S.o
    00c0 - a4 71 3d 91 27 b7 3a e0-ef 3d 8e 2b 27 7f 91 4e   .q=.'.:..=.+'..N
    00d0 - db b9 46 22 3e 74 e8 f5-6b ba 4d 49 41 c8 37 52   ..F">t..k.MIA.7R
    00e0 - 23 6c 4f 02 11                                    #lO..

    Start Time: 1689293038
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---
^C
4 Likes

openssl s_client -connect www.google.com:443

CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 306 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

I don't know what to tell you, I ran it again and it did the same thing it looks like

It seems like there is a "man-in-the-middle".

Try connecting to your own server's IP:
openssl s_client -connect 192.168.0.0:443
[use your actual IP]

4 Likes

results with local IP:
548518980096:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
548518980096:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

The web server is up by the way; the page loads from my desktop.

I meant use the actual IP of the web server.

4 Likes

Oh, OK. Here that is:

CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = websitesbynihal.com
verify error:num=10:certificate has expired
notAfter=Aug 26 00:09:56 2022 GMT
verify return:1
depth=0 CN = websitesbynihal.com
notAfter=Aug 26 00:09:56 2022 GMT
verify return:1
---
Certificate chain
 0 s:CN = websitesbynihal.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFRzCCBC+gAwIBAgISA+2u8BVTpsScyTrPRKkdYc00MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA1MjgwMDA5NTdaFw0yMjA4MjYwMDA5NTZaMB4xHDAaBgNVBAMT
E3dlYnNpdGVzYnluaWhhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCut5jJoQKMr5DcR7y+60/I59LD9H15xUwgR8ds3ir8T8dcOIIlybdeKWlL
EqMUOMZRB318sUgT5agfxx2EeakNsIrgGw+zZ9iAsdiXVndG+mJMXgBTqfQAuqHT
b4YvTNSTO+KdlQgXhIHeJE3JNbDIbz4n4hahQmc9B1RfG1M+uWShDDdsJdY3c/TZ
An4arWKo2mV78n25thx7JYp5gYoDvm8gNW97UVeeV6aDyEpD9u+LGKtrN1WXIyK0
Ydhyy3U+KGS2MqfBnMlHa7JlwDw33Jw33bk8ZdGce0g5qt1yddaOzHTeLQsx2y+N
+tVw2/9FiIdFHm/nliQXSS1bezeXAgMBAAGjggJpMIICZTAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw
HQYDVR0OBBYEFEl3pfQwc1RW5SGCF04fX95ZKabCMB8GA1UdIwQYMBaAFBQusxe3
WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0
cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j
ci5vcmcvMDcGA1UdEQQwMC6CE3dlYnNpdGVzYnluaWhhbC5jb22CF3d3dy53ZWJz
aXRlc2J5bmloYWwuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8T
AQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIB
BgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcARqVV63X6kSAwtaKJafTzfREsQXS+/Um4
havy/HD+bUcAAAGBCDZ9LgAABAMASDBGAiEA++uKCLET5LE+Bpe49he6Qxet2cwK
8Hx0a+ey3pHpAFQCIQDmD5DQkLlHwwm3hV5PNEXMwPU41Y3ocE+qPfBH6bhcYgB3
AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABgQg2fY0AAAQDAEgw
RgIhAO5CHw+Lgquky/c+H4oq+xmBN3tGEq5FLZsMy/7hRjwCAiEAxRtuwmTnItqk
1XMX4M+4iknb/JC/3JZchycdQnyYGrMwDQYJKoZIhvcNAQELBQADggEBACg5E9xb
HH9Id1nBQR/uzBv/yhxjlHkGv0KMi/b48JtrjE+vGCEmDBcXs36XJWZKyW8cIUYz
ARJA0kZneUQm0gdi5annyBraboBbc2ntMGdHPxvvJPU8sT0abzVOQ00W2Uojbk9x
7YHO2UqsotVo6KjDdsXV7KbPgk2lknBx4vs6I7+lFwODSu3SovhQjOTg1A62XpyL
hESCjHG2v+/vMiNVSsekZOiUrnOiln/SOOUrkWbGILVzvEGSrtrPptIqWhYx7iGn
9/W0rE9kMSN1WxU9N1pR/pEUMNN3ioNd2uc3MzmeAaifdPuAnPGaOPq+eaWxoGGM
/O4+S1APRQvRHww=
-----END CERTIFICATE-----
subject=CN = websitesbynihal.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4607 bytes and written 363 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 28511565F0AA07489A7D929D0BC18AAEB80448D8FA7188AA78FCFAE726251ACD
    Session-ID-ctx:
    Resumption PSK: 1D39BA86A8771CE702F1A0D0D9EFE061A58FB86B9E1E5B651A54137E1F7AA2D7952F444F39B126343A5ABB9B575B0903
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 68 25 e5 46 e5 88 c4 37-54 63 47 2a 3e bd bb d6   h%.F...7TcG*>...
    0010 - 4c f6 11 d5 ee 4c f4 4f-9f ac 4f 93 c5 51 bf b9   L....L.O..O..Q..
    0020 - e9 75 f5 df 9b f2 bf c9-74 91 8b a8 24 5c 0a ce   .u......t...$\..
    0030 - ef f4 60 76 4c a4 56 59-c9 45 75 7f 23 a0 9f ae   ..`vL.VY.Eu.#...
    0040 - dd 48 d9 24 97 15 d7 be-b1 a5 e3 24 6f a0 ba 8e   .H.$.......$o...
    0050 - 0f a3 00 33 dc 62 71 7a-67 53 96 2f c3 b8 2d 10   ...3.bqzgS./..-.
    0060 - aa 8d b4 3c ca 1c 6e 1e-cd 3f 34 5d b5 02 ba 5e   ...<..n..?4]...^
    0070 - c8 a1 a0 dd 84 04 a7 07-0c 96 32 e4 dc da 53 b4   ..........2...S.
    0080 - c5 fb cf 5b ce df fa da-dd de 25 c0 89 a3 9f 2a   ...[......%....*
    0090 - 27 75 2e 62 81 0f d6 75-81 ce 00 36 52 23 bd ce   'u.b...u...6R#..
    00a0 - f4 1a 69 df 20 e5 74 24-67 48 d2 5f b9 9a c1 58   ..i. .t$gH._...X
    00b0 - 85 87 af e7 00 fd 91 57-f2 ae be a1 c4 27 f6 24   .......W.....'.$
    00c0 - b2 26 93 bd 43 70 0e c7-d6 ff c1 e6 4b f0 38 56   .&..Cp......K.8V
    00d0 - bb a1 c3 8d db ba ff 3f-87 04 92 1d 5f a5 ac a7   .......?...._...

    Start Time: 1689296344
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0A88301CBBAD0014EA3AB5D64BAF4D0251DD5D414EC5846F46AC6DFB2F8671C2
    Session-ID-ctx:
    Resumption PSK: 6B4D1AE1EE3FB3171FA2E4D28DDF9C445DE70BA9D06973289D43257F42A5292D4B6F50EF1D0625E7B2CC0DE1BB5537CF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 68 25 e5 46 e5 88 c4 37-54 63 47 2a 3e bd bb d6   h%.F...7TcG*>...
    0010 - 63 14 07 85 75 b1 9b e7-02 58 64 c2 e2 ec 68 64   c...u....Xd...hd
    0020 - ff 04 5f d4 fe f6 37 0d-97 e2 19 b9 f3 b3 9d ea   .._...7.........
    0030 - 32 8f 1f 47 86 ed ce 4d-db 8a b2 4b 0e f8 4f 85   2..G...M...K..O.
    0040 - 30 5b 65 f8 ac 4b ed 63-ac 1a da 63 56 61 86 2b   0[e..K.c...cVa.+
    0050 - 01 bf b8 fe 2c 3a 03 cd-37 2e b0 6f df 90 db e4   ....,:..7..o....
    0060 - 52 68 ff 37 44 a1 9f 1b-fb 1e d3 17 df fe eb 4b   Rh.7D..........K
    0070 - 5c 51 9e f7 80 b3 b1 58-2f d0 59 50 1a d3 e8 f1   \Q.....X/.YP....
    0080 - 37 d9 3a 81 33 c5 6b 05-a8 0d 71 62 53 9e 28 79   7.:.3.k...qbS.(y
    0090 - 1e b0 81 fc a5 d4 12 cb-7d 03 91 d1 36 cd 27 9b   ........}...6.'.
    00a0 - a6 ac c3 d7 7c c6 52 c8-42 cb 29 9f a2 0f d3 5d   ....|.R.B.)....]
    00b0 - 27 ea ad 3e 65 52 73 83-6e 90 5b 2e 74 c6 15 2a   '..>eRs.n.[.t..*
    00c0 - 89 5e e1 ef c1 ce 57 8f-cb 73 8c 4b be d4 6c cf   .^....W..s.K..l.
    00d0 - a7 31 8a 9a e8 31 24 83-4b 0b 60 56 86 1e 7c 81   .1...1$.K.`V..|.

    Start Time: 1689296344
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK