Failing with 14 domains

Certbot works when I use 13 domains, but adding a 14th causes a ConnectionError: ('Connection aborted.', ResponseNotReady()) error. I was able to reproduce this with a set of fake domains, which I have included below.

e.g. the following works:

certbot certonly --manual --config-dir ./certbot/conf --work-dir ./certbot/work --logs-dir ./certbot/logs -d my01.thing.com,my02.thing.com,my03.thing.com,my04.thing.com,my05.thing.com,my06.thing.com,my07.thing.com,my08.thing.com,my09.thing.com,my10.thing.com,my11.thing.com,my12.thing.com,my13.thing.com

with output:

Saving debug log to ./certbot/logs/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my01.thing.com
http-01 challenge for my02.thing.com
http-01 challenge for my03.thing.com
http-01 challenge for my04.thing.com
http-01 challenge for my05.thing.com
http-01 challenge for my06.thing.com
http-01 challenge for my07.thing.com
http-01 challenge for my08.thing.com
http-01 challenge for my09.thing.com
http-01 challenge for my10.thing.com
http-01 challenge for my11.thing.com
http-01 challenge for my12.thing.com
http-01 challenge for my13.thing.com

However, when I add a 14th domain, it breaks with a strange server error:

certbot certonly --manual --config-dir ./certbot/conf --work-dir ./certbot/work --logs-dir ./certbot/logs -d my01.thing.com,my02.thing.com,my03.thing.com,my04.thing.com,my05.thing.com,my06.thing.com,my07.thing.com,my08.thing.com,my09.thing.com,my10.thing.com,my11.thing.com,my12.thing.com,my13.thing.com,my14.thing.net

produces output:

Saving debug log to ./certbot/logs/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
An unexpected error occurred:
ConnectionError: ('Connection aborted.', ResponseNotReady())
Please see the logfiles in ./certbot/logs for more details.

From the logfile:

~ $ cat ./certbot/logs/letsencrypt.log | tail -n 50
2019-12-02 20:09:27,611:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/1522170930:
{
  "protected": "<removed>", 
  "payload": "", 
  "signature": "<removed>"
}
2019-12-02 20:09:27,614:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.39.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1378, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1265, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 405, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 380, in _get_order_and_authorizations
    orderr = self.acme.new_order(csr_pem)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 883, in new_order
    return self.client.new_order(csr_pem)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 674, in new_order
    authorizations.append(self._authzr_from_response(self._post_as_get(url), uri=url))
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 795, in _post_as_get
    return self._post(*new_args, **kwargs)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 95, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1194, in post
    return self._post_once(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1207, in _post_once
    response = self._send_request('POST', url, data=data, **kwargs)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1110, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 415, in send
    raise ConnectionError(err, request=request)
ConnectionError: ('Connection aborted.', ResponseNotReady())
2019-12-02 20:09:27,615:ERROR:certbot.log:An unexpected error occurred:
~ $ 

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

my01.thing.com,my02.thing.com,my03.thing.com,my04.thing.com,my05.thing.com,my06.thing.com,my07.thing.com,my08.thing.com,my09.thing.com,my10.thing.com,my11.thing.com,my12.thing.com,my13.thing.com,my14.thing.net

I ran this command:

certbot certonly --manual --config-dir ./certbot/conf --work-dir ./certbot/work --logs-dir ./certbot/logs -d my01.thing.com,my02.thing.com,my03.thing.com,my04.thing.com,my05.thing.com,my06.thing.com,my07.thing.com,my08.thing.com,my09.thing.com,my10.thing.com,my11.thing.com,my12.thing.com,my13.thing.com,my14.thing.net

It produced this output:

Saving debug log to ./certbot/logs/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
An unexpected error occurred:
ConnectionError: ('Connection aborted.', ResponseNotReady())
Please see the logfiles in ./certbot/logs for more details.

My web server is (include version):

N/A

The operating system my web server runs on is (include version):

N/A (never gets that far and I’m doing manual anyway)

My hosting provider, if applicable, is:

N/A

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.39.0

doing 14th domain alone, does it succeed?

It seems to work for me (without reproducing your precise setup).

Can you post the logs from right before that snippet?

Is there any chance you have a connection-tracking firewall, or NAT device, that destroys TCP connections that are briefly idle?

Edit: Googling the error message, I still have no idea what causes it, but people seem to report success after upgrading the Python requests library. E.g.:

1 Like

thanks. such a pain. We run requests==2.6.2 here. I ran this in a virtenv with the default versions of certbot (and dependencies) and did not see the error (requests==2.22.0). When I downgraded requests to v2.6.2, I could reproduce the error.

1 Like

In github, it appears that acme only requires v2.6.0:

 'requests[security]>=2.6.0',  # security extras added in 2.4.1

perhaps that should be updated . . . .

1 Like