Error while creating ssl certificate in nginx proxy manager

Help
1

My domain is:
ardelplanque.ovh

I have nginx proxy manager installed, port 80 and 443 open in my router and it points to my server.
adding a proxy host works in http (accessible in LAN et WAN).

when i want to add a ssl certificate it gave me the following error message :

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-4" --agree-tos --authenticator webroot --email "arndel90@hotmail.com" --preferred-challenges "http" --domains "plex.ardelplanque.ovh" 
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:1056)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:402:12)
    at ChildProcess.emit (node:events:513:28)
    at maybeClose (node:internal/child_process:1100:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:304:5)

i've search for an answer but can't find anything related.

omv6 with docker and portainer, nginx PM in container
certbot 2.5.0

thanks for reading :wink:

1 Like
2

Hi @arndel90, and welcome to the LE community forum :slight_smile:

Sorry, but I stopped reading at:

I don't think this is the place to bring such a problem.
You can.
I'm just saying that you probably won't get much help with it here.

2 Likes
3

I also don't know anything about Nginx Proxy Manager, but this piece sounds to me like it's having trouble accessing the Let's Encrypt API endpoint. Does the server have outbound Internet access? Is there some "smart" firewall trying to intercept the outgoing traffic?

2 Likes
4

Maybe that file can show use more about the problem.

2 Likes
5

hi, thanks for the answer.
i've posted here because the error message point me to this forum, everything related to the proxy works fine (exept for the ssl part), i can access my web pages from outside my LAN.
the log is as following :

[root@docker-6b08fdb2212a:/tmp/letsencrypt-log]# cat letsencrypt.log

2023-12-22 16:48:52,270:DEBUG:certbot._internal.main:certbot version: 2.5.0
2023-12-22 16:48:52,270:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2023-12-22 16:48:52,270:DEBUG:certbot._internal.main:Arguments: ['--config', '/etc/letsencrypt.ini', '--work-dir', '/tmp/letsencrypt-lib', '--logs-dir', '/tmp/letsencrypt-log', '--cert-name', 'npm-4', '--agree-tos', '--authenticator', 'webroot', '--email', 'arndel90@hotmail.com', '--preferred-challenges', 'dns,http', '--domains', 'plex.ardelplanque.ovh']
2023-12-22 16:48:52,270:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-12-22 16:48:52,279:DEBUG:certbot._internal.log:Root logging level set at 30
2023-12-22 16:48:52,280:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2023-12-22 16:48:52,282:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7faf89324f60>
Prep: True
2023-12-22 16:48:52,282:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7faf89324f60> and installer None
2023-12-22 16:48:52,282:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2023-12-22 16:48:52,348:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-12-22 16:48:52,349:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-12-22 16:48:52,394:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/urllib3/connectionpool.py", line 468, in _make_request
    self._validate_conn(conn)
  File "/opt/certbot/lib/python3.7/site-packages/urllib3/connectionpool.py", line 1097, in _validate_conn
    conn.connect()
  File "/opt/certbot/lib/python3.7/site-packages/urllib3/connection.py", line 658, in connect
    assert_fingerprint=self.assert_fingerprint,
  File "/opt/certbot/lib/python3.7/site-packages/urllib3/connection.py", line 793, in _ssl_wrap_socket_and_match_hostname
    tls_in_tls=tls_in_tls,
  File "/opt/certbot/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 471, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
  File "/opt/certbot/lib/python3.7/site-packages/urllib3/util/ssl_.py", line 515, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "/usr/lib/python3.7/ssl.py", line 886, in _create
    self.do_handshake()
  File "/usr/lib/python3.7/ssl.py", line 1150, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:1056)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/urllib3/connectionpool.py", line 803, in urlopen
    **response_kw,
  File "/opt/certbot/lib/python3.7/site-packages/urllib3/connectionpool.py", line 492, in _make_request
    raise new_e
urllib3.exceptions.SSLError: [SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:1056)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/opt/certbot/lib/python3.7/site-packages/requests/adapters.py", line 497, in send
    chunked=chunked,
  File "/opt/certbot/lib/python3.7/site-packages/urllib3/connectionpool.py", line 846, in urlopen
    method, url, error=new_e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/opt/certbot/lib/python3.7/site-packages/urllib3/util/retry.py", line 515, in increment
    raise MaxRetryError(_pool, url, reason) from reason  # type: ignore[arg-type]
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:1056)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/opt/certbot/lib/python3.7/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 1579, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 830, in _init_le_client
    acc, acme = _determine_account(config)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/main.py", line 739, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 207, in register
    acme = acme_from_config_key(config, key)
  File "/opt/certbot/lib/python3.7/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key
    directory = acme_client.ClientV2.get_directory(config.server, net)
  File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 331, in get_directory
    return messages.Directory.from_json(net.get(url).json())
  File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 706, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/opt/certbot/lib/python3.7/site-packages/acme/client.py", line 648, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/opt/certbot/lib/python3.7/site-packages/requests/sessions.py", line 589, in request
    resp = self.send(prep, **send_kwargs)
  File "/opt/certbot/lib/python3.7/site-packages/requests/sessions.py", line 703, in send
    r = adapter.send(request, **kwargs)
  File "/opt/certbot/lib/python3.7/site-packages/requests/adapters.py", line 517, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:1056)')))
2023-12-22 16:48:52,397:ERROR:certbot._internal.log:An unexpected error occurred:
2023-12-22 16:48:52,397:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:1056)')))
1 Like
6

Well...
The "error" seems pretty consistent:
ssl.SSLError: [SSL: TLSV1_UNRECOGNIZED_NAME] tlsv1 unrecognized name (_ssl.c:1056)

What shows?:
dig acme-v02.api.letsencrypt.org

1 Like
7

That error is often caused by Python having an old outdated openssl installation, and either having issues with the TLS version or the SNI in the certificates.

@arndel90 - how did you install certbot - pip in a virtualenv, system installation, something else? what is your operating system and python version?

This link may help:

4 Likes
8

i can't use dig in the coutainer nor install the dnsutils.
in the omv6 cli this gave me this :

; <<>> DiG 9.16.44-Debian <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13350
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org. IN A

;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 2 IN A 0.0.0.0

;; Query time: 32 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Fri Dec 22 18:32:07 CET 2023
;; MSG SIZE rcvd: 73

9

i did'nt had to install anything, it all came with the nginx proxy manager

10

Then a NPM support channel is probably the best way forward, as you'd probably get better support there due to lack of knowledge of NPM on this Community.

5 Likes
11

Your issue is with NPM, either it being misconfigured or installed on an incompatible system. You should bring your concerns to them.

I do not think this is something this community could potentially solve, as these are core Python errors and troubleshooting/fixing will likely require updating Python, OpenSSL, or both, or recompiling Python against a newer OpenSSL. Those are not things that should be done to a dockerized system, but typically instead handled by reconfiguring or updating the docker images or operating system that is running it.

4 Likes
12

What shows?:
ping acme-v02.api.letsencrypt.org

1 Like
13

can't use ping neither...

thanks for all the answer, a message have been post on the NPM github page, i'll see what answers they can bring to me.

if nothing come up on their side i'll try installing nginx and certbot on bare metal on my server.

3 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.