Letsencrypt renewal Max retries exceeded with url: /directory (Caused by SSLError(SSLZeroReturnError

Help
1

Hi, there!

I want to force the renewal of a certificate for the first time on my server. I'm using proxy and I can get https://acme-v02.api.letsencrypt.org/directory.
the thing is that I get the following error while executing certbot --force-renew:

certbot --force-renew -d cercheck.EXAMPLE.COM

*Saving debug log to /var/log/letsencrypt/letsencrypt.log*
*An unexpected error occurred:*
*requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:1129)')))*

More logs related are:

*2023-11-07 17:36:27,963:DEBUG:certbot._internal.main:certbot version: 2.6.0*
*2023-11-07 17:36:27,964:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot*
*2023-11-07 17:36:27,964:DEBUG:certbot._internal.main:Arguments: ['--force-renew', '-v', '-d', 'cercheck.test.es']*
*2023-11-07 17:36:27,964:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint*
*#standalone,PluginEntryPoint#webroot)*
*2023-11-07 17:36:27,977:DEBUG:certbot._internal.log:Root logging level set at 20*
*2023-11-07 17:36:27,978:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None*
*2023-11-07 17:36:28,217:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.53*
*2023-11-07 17:36:28,870:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache*
*Description: Apache Web Server plugin*
*Interfaces: Authenticator, Installer, Plugin*
*Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT*
*Initialized: <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7fce9ddb27c0>*
*Prep: True*
*2023-11-07 17:36:28,873:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7fce9ddb27c0>*
* and installer <certbot_apache._internal.override_centos.CentOSConfigurator object at 0x7fce9ddb27c0>*
*2023-11-07 17:36:28,873:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache*
*2023-11-07 17:36:34,308:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.*
*2023-11-07 17:36:34,311:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443*
*2023-11-07 17:36:34,356:DEBUG:certbot._internal.log:Exiting abnormally:*
*Traceback (most recent call last):*
*  File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 696, in urlopen*
*    self._prepare_proxy(conn)*
*  File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 964, in _prepare_proxy*
*    conn.connect()*
*  File "/usr/lib/python3.9/site-packages/urllib3/connection.py", line 359, in connect*
*    conn = self._connect_tls_proxy(hostname, conn)*
*  File "/usr/lib/python3.9/site-packages/urllib3/connection.py", line 500, in _connect_tls_proxy*
*    return ssl_wrap_socket(*
*  File "/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket*
*    ssl_sock = _ssl_wrap_socket_impl(*
*  File "/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl*
*    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)*
*  File "/usr/lib64/python3.9/ssl.py", line 501, in wrap_socket*
*    return self.sslsocket_class._create(*
*  File "/usr/lib64/python3.9/ssl.py", line 1074, in _create*
*    self.do_handshake()*
*  File "/usr/lib64/python3.9/ssl.py", line 1343, in do_handshake*
*    self._sslobj.do_handshake()*
*ssl.SSLZeroReturnError: TLS/SSL connection has been closed (EOF) (_ssl.c:1129)*

*During handling of the above exception, another exception occurred:*

*Traceback (most recent call last):*
*  File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 439, in send*
*    resp = conn.urlopen(*
*  File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 755, in urlopen*
*    retries = retries.increment(*
*  File "/usr/lib/python3.9/site-packages/urllib3/util/retry.py", line 574, in increment*
*    raise MaxRetryError(_pool, url, error or ResponseError(cause))*
*urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:1129)')))*

*During handling of the above exception, another exception occurred:*

*Traceback (most recent call last):*
*  File "/usr/bin/certbot", line 8, in <module>*
*    sys.exit(main())*
*  File "/usr/lib/python3.9/site-packages/certbot/main.py", line 19, in main*
*    return internal_main.main(cli_args)*
*  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1864, in main*
*    return config.func(config, plugins)*
*  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1440, in run*
*    le_client = _init_le_client(config, authenticator, installer)*
*  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 830, in _init_le_client*
*    acc, acme = _determine_account(config)*
*  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 738, in _determine_account*
*    acc, acme = client.register(*
*  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 207, in register*
*    acme = acme_from_config_key(config, key)*
*  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key*
*    directory = acme_client.ClientV2.get_directory(config.server, net)*
*  File "/usr/lib/python3.9/site-packages/acme/client.py", line 331, in get_directory*
*    return messages.Directory.from_json(net.get(url).json())*
*  File "/usr/lib/python3.9/site-packages/acme/client.py", line 706, in get*
*    self._send_request('GET', url, **kwargs), content_type=content_type)*
*  File "/usr/lib/python3.9/site-packages/acme/client.py", line 648, in _send_request*
*    response = self.session.request(method, url, *args, **kwargs)*
*  File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 544, in request*
*    resp = self.send(prep, **send_kwargs)*
*  File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 657, in send*
*    r = adapter.send(request, **kwargs)*
*  File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 514, in send*
*    raise SSLError(e, request=request)*
*requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLZeroReturnEr*
*ror(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:1129)')))*
*2023-11-07 17:36:34,359:ERROR:certbot._internal.log:An unexpected error occurred:*
*2023-11-07 17:36:34,360:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with*
* url: /directory (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:1129)')))*

Does anybody know what it could be happening?

Thanks in advance.

1 Like
2

Why? 

2 Likes
3

Are you sure that works?

3 Likes
4

Do you even have a cert [for that name] to renew?

3 Likes
5

Also, for HTTP Challenge with Apache you will need to follow this advice

2 Likes
6

Because I need to confirm that renewal is running smoothly.

7

The --dry-run option was invented for that reason. Please do not use the --force-renewal option for such things.

2 Likes
8

You won't be able to use the renew command until you get a cert using certonly or one of the plugins (like Apache).

Have you been able to get a cert? What does this show

certbot certificates
3 Likes
9

The certificate name shown is not exact the real one.
Yes, I have one certificate running without problem. But when I try to renew, I get that error.

10

Yes, I have my certificate functioning well.

11

Then what does this do?

certbot renew --dry-run

Note without knowing your real domain it will be hard to give specific advice

Also, what does this show

openssl s_client -connect acme-v02.api.letsencrypt.org:443
4 Likes
12

Thanks for letting me know.
If I run the "dry-run" option, I get the same error, though

13

Yes, I think so.

wget https://acme-v02.api.letsencrypt.org/directory

--2023-11-07 19:03:08-- https://acme-v02.api.letsencrypt.org/directory
Resolviendo proxy0.xxx.es (proxy0.xxx.es)... 192.168.xxx.xxx
Conectando con proxy0.xxx.es (proxy0.xxx.es)[1192.168.xxx.xxx]:8080... conectado.
Petición Proxy enviada, esperando respuesta... 200 OK
Longitud: 752 [application/json]
Grabando a: «directory.2»

directory.2 100%[==========================================================================================>] 752 --.-KB/s en 0s

2023-11-07 19:03:09 (8,78 MB/s) - «directory.2» guardado [752/752]

14

Below is the form normally presented to all new HELP topics.
Note: How it makes it clear that "withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help"

Please provide enough information so that we may be able to help you with.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

3 Likes
15

Something odd is that if I run the curl command, as I saw in some comments I get this:

curl -v https://acme-v02.api.letsencrypt.org/directory

  • Uses proxy env variable https_proxy == 'https://proxy0.xxx.es:8080'
  • Trying 192.168.xxx.xxx:8080...
  • Connected to proxy0.xxx.es (192.168.xxx.xxx) port 8080 (#0)
  • ALPN, offering http/1.1
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.0 (OUT), TLS header, Unknown (21):
  • TLSv1.3 (OUT), TLS alert, decode error (562):
  • error:0A000126:SSL routines::unexpected eof while reading
  • Closing connection 0
    curl: (35) error:0A000126:SSL routines::unexpected eof while reading
16

What shows?:
curl -v https://www.google.com/

2 Likes
17

Thanks, MikeMcQ. I was showing just a false name. Sorry for not specifying.

1 Like
18

The problem is that is a REAL name.
[it just belongs to someone else]
crt.sh | test.es

4 Likes
19

Same error:

curl -v https://www.google.com/

  • Uses proxy env variable https_proxy == 'https://proxy0.xxx.es:8080'

  • Trying 192.168.xxx.xxx:8080...

  • Connected to proxy0.xxx.es (192.168.xxx.xxx) port 8080 (#0)

  • ALPN, offering http/1.1

  • CAfile: /etc/pki/tls/certs/ca-bundle.crt

  • TLSv1.0 (OUT), TLS header, Certificate Status (22):

  • TLSv1.3 (OUT), TLS handshake, Client hello (1):

  • TLSv1.0 (OUT), TLS header, Unknown (21):

  • TLSv1.3 (OUT), TLS alert, decode error (562):

  • error:0A000126:SSL routines::unexpected eof while reading

  • Closing connection 0

curl: (35) error:0A000126:SSL routines::unexpected eof while reading

20

So, your proxy doesn't work with cURL.

3 Likes