Failing to install certificate with An unexpected error occurred: acme.errors.TimeoutError

CentOSCertBot · April 25, 2023, 12:07am

Running CentOS 7

Renewal dry runs do not toss an error, but when renewal fails.
Have deleted and tried to reinstall a new certificate with a failure of
An unexpected error occurred: acme.errors.TimeoutError

Sending POST request to https://acme.sectigo.com/v2/InCommonRSAOV/order/jfw2z8of3zJ56AW9Qr22-Q:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS5zZWN0aWdvLmNvbS92Mi9JbkNvbW1vblJTQU9WL2FjY291bnQveGpBM0JKNnlZMGRCZWlpRklyZmlGdyIsICJub25jZSI6ICJibUg5cTBlWkx0bkEzUUFEZUZYZ2hjWHpUaEtXT1hBUmpzOC16TEZjc1ZZIiwgInVybCI6ICJodHRwczovL2FjbWUuc2VjdGlnby5jb20vdjIvSW5Db21tb25SU0FPVi9vcmRlci9qZncyejhvZjN6SjU2QVc5UXIyMi1RIn0",
  "signature": "L1sutwE5beFPzurzmx2rJpvC-wiSOPcOQGzK8uAXUdl5h3a0UGcq9ZgCYXQsRA7EZaZy2oFLVSlrCGDs6HuIfD1LuP2GAbK7saZL_I_Eyar1Oz0datKpWEF6QwUGnko9OS53kP1633B1XVxIjL5UuJj3-Zznx_8--RXuOMPsyD5LBP-_s5YcrGgptoX6P2TR8LQscB_P8Asm1IYhCMILiskN61XsiglOiuFC5vIMSK8RI4XDd5OUOD-n4nqwXpX3bxTl95HvjbfFsZzkmJIDsTqgWXtY45txsRpYgAQBMYjnm0v_VU_eIQsQEmsOaY8BLRyaqfDUknVPFec8mJ-zbQ",  "payload": ""
}
https://acme.sectigo.com:443 "POST /v2/InCommonRSAOV/order/jfw2z8of3zJ56AW9Qr22-Q HTTP/1.1" 200 309
Received response:
HTTP 200
Server: nginx
Date: Tue, 25 Apr 2023 00:01:13 GMT
Content-Type: application/json
Content-Length: 309
Connection: keep-alive
Replay-Nonce: fPaPoGWgx4C1aV2xZT0tDq_6mq_WbqVMduHJDBVOl-A
Cache-Control: max-age=0, no-cache, no-store
Access-Control-Allow-Origin: *
Location: https://acme.sectigo.com/v2/InCommonRSAOV/order/jfw2z8of3zJ56AW9Qr22-Q
Retry-After: 15
Strict-Transport-Security: max-age=15724800; includeSubDomains

{"status":"processing","expires":"2024-04-23T23:59:43Z","identifiers":[{"type":"dns","value":"REMOVED"}],"authorizations":["https://acme.sectigo.com/v2/InCommonRSAOV/authz/AZ3o4Yl-Wn6aSKOgc9UI-g"],"finalize":"https://acme.sectigo.com/v2/InCommonRSAOV/order/jfw2z8of3zJ56AW9Qr22-Q/finalize"}
Storing nonce: fPaPoGWgx4C1aV2xZT0tDq_6mq_WbqVMduHJDBVOl-A
JWS payload:
b''
Sending POST request to https://acme.sectigo.com/v2/InCommonRSAOV/order/jfw2z8of3zJ56AW9Qr22-Q:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS5zZWN0aWdvLmNvbS92Mi9JbkNvbW1vblJTQU9WL2FjY291bnQveGpBM0JKNnlZMGRCZWlpRklyZmlGdyIsICJub25jZSI6ICJmUGFQb0dXZ3g0QzFhVjJ4WlQwdERxXzZtcV9XYnFWTWR1SEpEQlZPbC1BIiwgInVybCI6ICJodHRwczovL2FjbWUuc2VjdGlnby5jb20vdjIvSW5Db21tb25SU0FPVi9vcmRlci9qZncyejhvZjN6SjU2QVc5UXIyMi1RIn0",
  "signature": "Y_Gr9pMbBasauGFaffaxmYx8bbmQvbHghuqzpTvcQNW2vEfMB-pdspSrw1ON87v-5v3TDRj1AU7z1Fi8UeURcGQXSblUOoNqZZSi7wjFiEoF8Hdp8OQc29Rig3QdAjOIYvdcudQh4WFf8k5VKqfZGuW2ojBGBIbvv-33RiieJh-xePAFiAnQLw2tTdd2J0venm8B9ZQrsSdH54LnsSdh-UNCCLn_mH3rqanEX6UBIA0Bh7yjVAz6hQeOSREbIjjO5f7Py4eVsC4eqxRtlsiTdn5ZyyK2jJmefpkD_yPAR_SLWRxQgLy8YdVNfJNHtAv6RRV1qH6C-NRJBin1oYUDeQ",  "payload": ""
}
https://acme.sectigo.com:443 "POST /v2/InCommonRSAOV/order/jfw2z8of3zJ56AW9Qr22-Q HTTP/1.1" 200 309
Received response:
HTTP 200
Server: nginx
Date: Tue, 25 Apr 2023 00:01:14 GMT
Content-Type: application/json
Content-Length: 309
Connection: keep-alive
Replay-Nonce: X52qvCm4Ax5NC1KO2Cn3jHikjH143KxbFvWItm4AS5o
Cache-Control: max-age=0, no-cache, no-store
Access-Control-Allow-Origin: *
Location: https://acme.sectigo.com/v2/InCommonRSAOV/order/jfw2z8of3zJ56AW9Qr22-Q
Retry-After: 15
Strict-Transport-Security: max-age=15724800; includeSubDomains

{"status":"processing","expires":"2024-04-23T23:59:43Z","identifiers":[{"type":"dns","value":"REMOVED"}],"authorizations":["https://acme.sectigo.com/v2/InCommonRSAOV/authz/AZ3o4Yl-Wn6aSKOgc9UI-g"],"finalize":"https://acme.sectigo.com/v2/InCommonRSAOV/order/jfw2z8of3zJ56AW9Qr22-Q/finalize"}
Storing nonce: X52qvCm4Ax5NC1KO2Cn3jHikjH143KxbFvWItm4AS5o
Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/2913/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/var/lib/snapd/snap/certbot/2913/lib/python3.8/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/var/lib/snapd/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/var/lib/snapd/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 1447, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/var/lib/snapd/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 141, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/var/lib/snapd/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/client.py", line 516, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/var/lib/snapd/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/client.py", line 451, in obtain_certificate
    cert, chain = self.obtain_certificate_from_csr(csr, orderr)
  File "/var/lib/snapd/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/client.py", line 341, in obtain_certificate_from_csr
    orderr = self.acme.finalize_order(
  File "/var/lib/snapd/snap/certbot/2913/lib/python3.8/site-packages/acme/client.py", line 276, in finalize_order
    return self.poll_finalization(orderr, deadline, fetch_alternative_chains)
  File "/var/lib/snapd/snap/certbot/2913/lib/python3.8/site-packages/acme/client.py", line 260, in poll_finalization
    raise errors.TimeoutError()
acme.errors.TimeoutError
An unexpected error occurred:
acme.errors.TimeoutError
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

CentOSCertBot · April 25, 2023, 12:08am

Server is on a private/not internet accessible IP but the DNS is registered and nslookups return properly

Bruce5051 · April 25, 2023, 12:12am

Hello @CentOSCertBot, welcome to the Let's Encrypt community.

That would imply to me the use of DNS-01 challenge of the Challenge Types - Let's Encrypt,
however this seem like you are asking about services from Sectigo

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

CentOSCertBot · April 25, 2023, 12:17am

ran command sudo certbot --apache --agree-tos --email [email removed] --server https://acme.sectigo.com/v2/InCommonRSAOV --eab-kid [keyid removed] --eab-hmac-key [key removed] --domain medicineit-dev.arizona.edu --cert-name medicineit-dev.arizona.edu

OS: Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-1160.81.1.el7.x86_64

Apache version: Server version: Apache/2.4.6 (CentOS)
Server built: Apr 5 2023 17:18:30

No hosting, a CentOS VM
I can login as root
No Cpanel,
Certbot 2.5.0

Strangely....this had all been working then renewals started to fail

Bruce5051 · April 25, 2023, 12:20am

When did you upgrade Certbot somewhere in the 2.x versions changed from RSA to ESCDA for default for Certificates. Look in Client dev for Certbot info.

CentOSCertBot · April 25, 2023, 12:26am

So I've removed and reinstalled certbot with snap.
It seems as though even new cert requests are dying out. Did I fail to get rid of all the configuration information?

_az · April 25, 2023, 12:58am

You can probably use --issuance-timeout to fix this.

By default, Certbot will wait up to 90 seconds for the certificate authority to sign the certificate, after the order finalization procedure has started.

You can raise this to something longer (like 10 minutes) with:

--issuance-timeout 600

In general, Let's Encrypt issues certificates very quickly, but I have heard that there can be longer delays with ZeroSSL and Sectigo. I recommend trying that.

If that works for you, I recommend you put that setting into /etc/letsencrypt/cli.ini, so that renewals succeed as well:

issuance-timeout=600

CentOSCertBot · April 25, 2023, 1:07am

Interesting, while I'm still learning the world of certs....I changed the server being used for the certs based off of the mentioned change RSA to ESCDA. I am using the general enterprise server from InCommon

Then running a new certificate request over top of the existing seems to have resolved it

Best community support I've ever had!

system · May 25, 2023, 1:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
acme.errors.TimeoutError when renewing via ZeroSSL Help	11	329	August 31, 2024
"time out " when trying to renew certificate Help	4	816	September 18, 2021
Fail to auto-renew with acme.sh Help	2	1530	February 18, 2018
Renew Certs Error Help	20	4156	February 2, 2018
DNS problem - timeout Help	7	1342	January 16, 2019

Failing to install certificate with An unexpected error occurred: acme.errors.TimeoutError

Related topics