Getting connection error when creating certificates

Please fill out the fields below so we can help you better.

My domain is: ar-r5-01.getcharly.com I have a webserver that runs on a port other than 80.

I ran this command:

./letsencrypt-auto certonly --standalone --email myemail@getcharly.com --agree-tos -d ar-r5-01.getcharly.com

It produced this output:

2017-08-10 20:58:53,644:DEBUG:certbot.main:certbot version: 0.17.0
2017-08-10 20:58:53,645:DEBUG:certbot.main:Arguments: ['--standalone', '--email', 'myemail@getcharly.com', '--agree-tos', '-d', 'ar-r5-01.getcharly.com']
2017-08-10 20:58:53,645:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-08-10 20:58:53,665:DEBUG:certbot.log:Root logging level set at 20
2017-08-10 20:58:53,665:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-08-10 20:58:53,666:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2017-08-10 20:58:53,782:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0xe55050>
Prep: True
2017-08-10 20:58:53,783:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0xe55050> and installer None
2017-08-10 20:58:53,949:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-08-10 20:58:53,954:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-08-10 20:59:01,399:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 753, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 676, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 390, in _init_le_client
    acc, acme = _determine_account(config)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 375, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 163, in register
    acme = acme_from_config_key(config, key)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 45, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 71, in __init__
    self.net.get(directory).json())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 654, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 627, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/adapters.py", line 487, in send
    raise ConnectionError(e, request=request)
ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x1bc9f50>: Failed to establish a new connection: [Errno -2] Name or service not known',))

The operating system my web server runs on is (include version): centos7

My hosting provider, if applicable, is: not sure…

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

when I ran this command

curl https://acme-v01.api.letsencrypt.org/directory i got

curl: (6) Could not resolve host: acme-v01.api.letsencrypt.org; Name or service not known

If your server can’t connect to the Let’s Encrypt API, then you’re not going to be able to issue certificates. Does this server have internet access? Is there a firewall restricting outbound connections? (Also check for allowing inbound connections on 80 while you’re at it, as this will be necessary for standalone authorization.)

You should see:

# curl https://acme-v01.api.letsencrypt.org/directory
{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
"terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  },
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"

wget ar-r5-01.getcharly.com
--2017-08-10 19:24:09-- http://ar-r5-01.getcharly.com/
Resolving ar-r5-01.getcharly.com (ar-r5-01.getcharly.com)... 200.55.32.166
Connecting to ar-r5-01.getcharly.com (ar-r5-01.getcharly.com)|200.55.32.166|:80... failed: Connection refused.

wget https://ar-r5-01.getcharly.com/
--2017-08-10 19:24:23-- https://ar-r5-01.getcharly.com/
Resolving ar-r5-01.getcharly.com (ar-r5-01.getcharly.com)... 200.55.32.166
Connecting to ar-r5-01.getcharly.com (ar-r5-01.getcharly.com)|200.55.32.166|:443... failed: Connection refused.

Unless you temporarily forward port 80 or 443 to your web server, you may have to use DNS challenge for auth.

No, standalone is still fine as long as firewalls and routers allow port 80 through. It will normally refuse connections except during issuance when the standalone server is running. The initial issue is that the server in question isn’t even able to reach the LE API in the first place. No matter what challenge type is in use, nothing will work until that’s fixed.

1 Like

You are accessing this machine remotely via SSH, not sitting in front of it, correct? So we’re sure inbound Internet connectivity works…

Can you connect to other things? e.g. your OS’ update server:

curl http://mirror.centos.org/timestamp.txt

If so, stop here. There’s a firewall (possibly not under your control) blocking your access to Let’s Encrypt. If feasible, try disabling your local firewall to eliminate that or contact your network administrator for assistance.

If that also doesn’t work, next see if you can reach things by IP address. e.g.:

ping -c5 google.com

fails but:

ping -c5 8.8.8.8

works.

If so, your DNS configuration is busted. In this case, please provide the contents of your /etc/sysconfig/network/ifcfg-* and /etc/resolv.conf files so we can figure out whether you’re getting a bad DNS server via DHCP or just have a misconfigured static IP address setup.

If you can’t even ping an IP address, we’re back to some sort of firewall in the way. As before try disabling your local firewall if you safely can to eliminate that or contact your network administrator for assistance.

They all worked for me.

curl http://mirror.centos.org/timestamp.txt ->> gives me timestamp
ping -c5 google.com ->> 0% packet loss
ping -c5 8.8.8.8 ->> 0% packet loss

Did you try again today? It’s possible you were just having network trouble yesterday.

If it’s still not working, I would suggest contacting your server provider’s support for further assistance. It’s very strange that you can access google.com and centos.org but not letsencrypt.org without purposely configuring a firewall that way.

Please retry:

If that fails, try:
nslookup acme-v01.api.letsencrypt.org

OK guys.

In the end I changed the DNS server to 8.8.8.8 and everything worked.

vi /etc/resolv.conf

Add nameserver 8.8.8.8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.