HTTPS connection Error

PKN-Weber · October 13, 2022, 2:31pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:sp.pknsp.dynv6.net

I ran this command:./init-certificate.sh (from Signal >> Blog >> Help people in Iran reconnect to Signal – a request to our community)

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

9peppe · October 13, 2022, 3:31pm

What's the output of this command?

curl -v https://acme-v02.api.letsencrypt.org/directory

PKN-Weber · October 14, 2022, 7:23am

*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Sep  2 19:13:12 2022 GMT
*  expire date: Dec  1 19:13:11 2022 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x564246814c60)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< server: nginx
< date: Fri, 14 Oct 2022 07:23:14 GMT
< content-type: application/json
< content-length: 659
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
{
  "d4o6U8Rk21k": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

rg305 · October 14, 2022, 7:39am

Hi @PKN-Weber, and welcome to the LE community forum

That output looks right.
Is the error still occurring?

PKN-Weber · October 14, 2022, 8:24am

Yes the Error is still occuring. Here is the full output from the script:

Enter domain name (eg. www.example.com): sp.pknsp.dynv6.net

Downloading recommended TLS parameters ...

Requesting Let's Encrypt certificate for sp.pknsp.dynv6.net ...

Creating network "signal-tls-proxy_default" with the default driver
Pulling certbot (certbot/certbot:)...
latest: Pulling from certbot/certbot
213ec9aee27d: Pull complete
6b2a141cd227: Pull complete
20e8f1c91cae: Pull complete
20828db47e2e: Pull complete
dfb6e0c037c9: Pull complete
ebbdbececa58: Pull complete
39738e426bae: Pull complete
18dbb2d59d20: Pull complete
87dd6de2206e: Pull complete
43a2dd3448ed: Pull complete
9e345a67ce83: Pull complete
5d0e724913ab: Pull complete
43adaa5703e9: Pull complete
Digest: sha256:407856b5139f5f2481b43a06beaf2790d0bf65374bacf2f0a4f212d2df0b5d86
Status: Downloaded newer image for certbot/certbot:latest
Creating signal-tls-proxy_certbot_run ... done
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7fa405b19450>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: 1

After running 'docker-compose up --detach' you can share your proxy as: Configure Signal Proxy

9peppe · October 14, 2022, 8:56am

Try restarting the docker daemon.

If that doesn't work, add a DNS resolver to your containers: Compose specification | Docker Documentation

PKN-Weber · October 14, 2022, 9:46am

Sorry i´m really new to this. Where do i find the file, which i have to edit?

9peppe · October 14, 2022, 9:51am

It's docker-compose.yml in the directory where you're running your commands. Whitespace matters a lot in that file.

Try systemctl restart docker before you edit that file, tho.

PKN-Weber · October 14, 2022, 12:25pm

i tryed to restart the service, but nothing changed.

this my docker-compose.yml

version: '3'

services:
nginx-terminate:
build: ./nginx-terminate/
restart: unless-stopped
volumes:
- ./data/nginx-terminate:/etc/nginx/conf.d
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
ports:
- "443:443"
- "80:80"
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g "daemon off;"'"
nginx-relay:
build: ./nginx-relay/
restart: unless-stopped
volumes:
- ./data/nginx-relay:/etc/nginx/conf.d
command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; /opt/nginx/sbin/nginx -s reload; done & /opt/nginx/sbin/nginx -c /etc/nginx/conf.d/nginx.conf -g "daemon off;"'"
certbot:
image: certbot/certbot
restart: unless-stopped
volumes:
- ./data/certbot/conf:/etc/letsencrypt
- ./data/certbot/www:/var/www/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
dns: 8.8.8.8

now i get this message:
Existing data found. Continue and replace existing certificate? (y/N) y

Requesting Let's Encrypt certificate for sp.pknsp.dynv6.net ...

ERROR: In file './docker-compose.yml', service 'dns' must be a mapping not a string.

9peppe · October 14, 2022, 12:33pm

You should put "dns" inside a service, as the documentation says, not wherever you want.

PKN-Weber · October 17, 2022, 10:35am

still the same error,
DNS is set correctly now

rg305 · October 17, 2022, 5:33pm

Then it might be an outbound firewall rule that is blocking.

system · November 16, 2022, 5:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.