Generating new certificate is hanging. Used to work before

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
any domain but use this as an example:
seghesioholidaysweepstakes.com

I ran this command:
/usr/bin/certbot certonly --webroot -d seghesioholidaysweepstakes.com -d www.seghesioholidaysweepstakes.com -w /usr/share/nginx/html -vv

It produced this output:
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f1acc5e6fd0>
Prep: True
Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f1acc5e6fd0> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/102707628', new_authzr_uri=None, terms_of_service=None), 95dca649eb70b90eb40783058c9c3ce4, Meta(creation_dt=datetime.datetime(2020, 11, 18, 11, 51, 4, tzinfo=), creation_host='centos-s-1vcpu-2gb-nyc1-01', register_to_eff=None))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 659
Received response:
HTTP 200
Server: nginx
Date: Tue, 01 Nov 2022 19:12:32 GMT
Content-Type: application/json
Content-Length: 659
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"ZdEzKlbbL94": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

Its hanging here. So it does not even get to obtaining a new certificate.

My web server is (include version):
nginx

The operating system my web server runs on is (include version):
centos 7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.31.0

Its hanging before it says obtaining new certificate. It used to work before. Let me know what troubleshooting steps I should take. I installed using snapd. Its on an older version of centos, but everything should be working.

Hello @offset29, welcome to the Let's Encrypt community.

I am a bit confused as the list of issued certificates for crt.sh | seghesioholidaysweepstakes.com seems empty, like no certificates have ever been issued for that site.

However I just noticed the certificate that is presently being served is for digitalcouponrebates.com
and here is a list of issued certificates for that domain name crt.sh | digitalcouponrebates.com, the latest being 2022-10-17.

image983×705 83 KB

Thats just a placeholder certificate. This is a sweepstakes system that we've developed and client requires separate domains for each sweepstakes. We just need the certificate generation to work.

when I run the certbot command it just hangs before it says Obtaining new certificate.

Is getting old, can you run give the output of

openssl version

once the certificate generation works then we can issue a separate nginx config file with the generated letsencrypt certificate. I can remove the existing certificate as well or remove the redirect to https

OpenSSL 1.0.2k-fips 26 Jan 2017

let me check if there is a way to update this. you are probably right in that it could be this.

No, that openssl version should be fine especially on Centos 7

Usually the -w (folder) option appears before the -d domain(s) it applies to. Might be related. Easy to try

this command used to work. i can try switching it.

no it still hangs in the same spot.

Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f6cb3c6efa0> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/102707628', new_authzr_uri=None, terms_of_service=None), 95dca649eb70b90eb40783058c9c3ce4, Meta(creation_dt=datetime.datetime(2020, 11, 18, 11, 51, 4, tzinfo=), creation_host='centos-s-1vcpu-2gb-nyc1-01', register_to_eff=None))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 659
Received response:
HTTP 200
Server: nginx
Date: Tue, 01 Nov 2022 19:49:19 GMT
Content-Type: application/json
Content-Length: 659
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"RPtHciN3sNU": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

The next lines should be something like

2022-11-01 19:50:53,972:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-11-01 19:50:54,052:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503

Is there any kind of firewall that would block a connection to r3.o.lencr.org ?

Or, block an outbound POST request?

its on digital ocean there shouldn't be any firewall for outbound. i can ping outbound. this command used to work before to generate certificates. i can try doing a wget

as you can see it received a response above to acme-v02

yes i can do a wget to http://r3.o.lencr.org

Yes, I see it connected to the acme endpoint. The r3.o.lencr.org is a different domain with a different request (post not get). It was a long-shot but worth checking.

Obviously something has changed since it last worked. The trick is finding what. Almost certainly something on your end though

i wish there was more debugging output.

Me too. I don't have any other ideas than to ensure a POST works:

curl -X POST http://r3.o.lencr.org/

should get a '0' back

I wonder if it's something weird with the snap system? Maybe uninstall and reinstall that, or when reinstalling try using the pip instructions instead?

I think I've heard of people having weird snap issues with something just hanging, but I don't know if it's at that specific point in the process and don't remember where I heard it, so I may be sending you on a wild goose chase.

yes get a 0 back.

Add more v's:
certbot {current parameters} -vvv