Letsencrypt renewal Max retries exceeded with url: /directory (Caused by SSLError(SSLZeroReturnError

May I need to install some package in order to use curl command?

Speak with the proxy software provider.
That has nothing to do with LE.

3 Likes

Thanks! I'll see you with them.

That is unexpected.

2 Likes

Anyway, is it necessary that curl works to renew the certificate if wget command is OK?

That depends entirely on the ACME client in use.
In this case, it would seem that certbot does require cURL.

2 Likes

What shows?:
curl --version

2 Likes

curl --version

curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/3.0.7 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.10.4/openssl/zlib nghttp2/1.43.0
Release-Date: 2021-04-14
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets

Agree. Sorry. My certificate is pruebasectigo2.uah.es

My certificate is pruebasectigo2.uah.es.

openssl s_client -connect acme-v02.api.letsencrypt.org:443

*CONNECTED(00000003)*
*depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1*
*verify return:1*
*depth=1 C = US, O = Let's Encrypt, CN = R3*
*verify return:1*
*depth=0 CN = acme-v02.api.letsencrypt.org*
*verify return:1*
*---*
*Certificate chain*
* 0 s:CN = acme-v02.api.letsencrypt.org*
*   i:C = US, O = Let's Encrypt, CN = R3*
*   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256*
*   v:NotBefore: Nov  4 15:35:41 2023 GMT; NotAfter: Feb  2 15:35:40 2024 GMT*
* 1 s:C = US, O = Let's Encrypt, CN = R3*
*   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1*
*   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256*
*   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT*
*---*
*Server certificate*
*-----BEGIN CERTIFICATE-----*
*MIIFwTCCBKmgAwIBAgISA282/VIUonzHSIyXBWjpWPftMA0GCSqGSIb3DQEBCwUA*
*MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD*
*EwJSMzAeFw0yMzExMDQxNTM1NDFaFw0yNDAyMDIxNTM1NDBaMCcxJTAjBgNVBAMT*
*HGFjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA*
*A4IBDwAwggEKAoIBAQDbcvuYvvX9sQIcIphyP+XNtFkaqEVzgXMhRmWz3Bn/dpqo*
*9IwmJGO8Z4NWvfgugds9Xv0gCqn/cE/XD3QhXew0qtZiDx/KEie+DzaBChWMJdgl*
*LJoQJVlzHBpytWANMNOo6Blwd5TfICUkcCsRaqkU9SxodNh+wogvmBC1eZ7Hqig1*
*YBz56TFbKONma1SXpKn2z3gUQGnHkjOlb73UTYwfc7n1yHfNU07ihh3g7kA0lz/l*
*oerDAce+ZLIfAP217mF2X7ln27EE5rha6JR1kZbvEO7qF8pbrdDjXwetj1zuhXfr*
*WNhUJQrzGp4PNC6bC+NtNaXDXgNklcbM/3A6ivyNAgMBAAGjggLaMIIC1jAOBgNV*
*HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud*
*EwEB/wQCMAAwHQYDVR0OBBYEFBKZWSw98LX28T3pT60eOGDgmplaMB8GA1UdIwQY*
*MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF*
*BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v*
*cjMuaS5sZW5jci5vcmcvMIHjBgNVHREEgdswgdiCHmFjbWUtdjAyLTEuYXBpLmxl*
*dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItMi5hcGkubGV0c2VuY3J5cHQub3Jngh5h*
*Y21lLXYwMi0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTQuYXBpLmxl*
*dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItNS5hcGkubGV0c2VuY3J5cHQub3Jnghxh*
*Y21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnghhpbmNpZGVudC5sZXRzZW5jcnlw*
*dC5vcmcwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5AgQCBIH0BIHx*
*AO8AdgBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZu7+rOdiEcwAAAYubMLEBAAAE*
*AwBHMEUCIC0+qCkBAkYTZZjzR2uluBUKWgDu3UybrzhCVlZfjM+rAiEAn+1b2tkc*
*av+uU6Zh+OgBmuv5+nTqbi1QRi+DjjUvif0AdQA7U3d1Pi25gE6LMFsG/kA7Z9hP*
*w/THvQANLXJv4frUFwAAAYubMLMAAAAEAwBGMEQCIH//QmqCMOc8jy+sgWbNE3Z8*
*sqzy2rDfrSclPNrpMMTCAiAOnbLvFGtAV+JQ4uml5UXJjZqdAkRnRGhwdJEsD4k+*
*8jANBgkqhkiG9w0BAQsFAAOCAQEACgY/vbjU4SJZqk3WBuxzGLknBtmfCNzkmDxB*
*V0hn5sT+8H8ncTYxPErMRgzd8e4o0EaFmdQPpEn8ifevbsGxLN6mDubk2ITEcwuR*
*b3f7uvy0sgrnmNDNh0cS6kPxmKxlzVEWo1FhM2DQXN+1T84XWqUp9vKWUHLgFeRr*
*Xo6uyn5aQupMzVr+UvM8ssx5qoVJKtmt8xxrlH2nHLR7pqfTNrkbKl6MnFtNnpu1*
*UQsK4g2dPm62bWkHlpE9ZsPGH8cFibl7RuLS2s09UtVHfy4JkvgcBp/ZPb9wZvrD*
*ZgzSWhGCap5eycoBV1uBe7+CiPSX6c4AZExlEO+6gMc+/BqnDA==*
*-----END CERTIFICATE-----*
*subject=CN = acme-v02.api.letsencrypt.org*
*issuer=C = US, O = Let's Encrypt, CN = R3*
*---*
*No client certificate CA names sent*
*Peer signing digest: SHA256*
*Peer signature type: RSA-PSS*
*Server Temp Key: X25519, 253 bits*
*---*
*SSL handshake has read 3348 bytes and written 412 bytes*
*Verification: OK*
*---*
*New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384*
*Server public key is 2048 bit*
*Secure Renegotiation IS NOT supported*
*Compression: NONE*
*Expansion: NONE*
*No ALPN negotiated*
*Early data was not sent*
*Verify return code: 0 (ok)*
*---*
*---*
*Post-Handshake New Session Ticket arrived:*
*SSL-Session:*
*    Protocol  : TLSv1.3*
*    Cipher    : TLS_AES_256_GCM_SHA384*
*    Session-ID: 2EBD51668FC169FD2B460244EEE80BEE84782A691C57FF517ADE6C28855CD5E5*
*    Session-ID-ctx:*
*    Resumption PSK: 8D784D8CBAFDEC160913878876E549BAF54D7ACE93AB719564FE8A7FF3C96C1D2C1D941DA3D57D3A33F0EAED5B1D2C5B*
*    PSK identity: None*
*    PSK identity hint: None*
*    SRP username: None*
*    TLS session ticket lifetime hint: 86400 (seconds)*
*    TLS session ticket:*
*    0000 - 40 2f 48 2b 14 c0 c1 8e-9c 9e 86 36 96 a6 fb 2e   @/H+.......6....*
*    0010 - f1 a1 85 21 61 85 a4 46-83 c6 cf d8 de 50 31 37   ...!a..F.....P17*

*    Start Time: 1699382749*
*    Timeout   : 7200 (sec)*
*    Verify return code: 0 (ok)*
*    Extended master secret: no*
*    Max Early Data: 0*
*---*
*read R BLOCK*
*---*
*Post-Handshake New Session Ticket arrived:*
*SSL-Session:*
*    Protocol  : TLSv1.3*
*    Cipher    : TLS_AES_256_GCM_SHA384*
*    Session-ID: B1A38BBF7C97B02367186F92809FC08368033E7702A1353F4977DC1EC80F1A60*
*    Session-ID-ctx:*
*    Resumption PSK: 39EC08440AD04FD9344D2DA2E28376186E6F64FA17188ED8DAFBB5816ACCF4496BB32B47EBA13BD4CD2657995CCC6439*
*    PSK identity: None*
*    PSK identity hint: None*
*    SRP username: None*
*    TLS session ticket lifetime hint: 86400 (seconds)*
*    TLS session ticket:*
*    0000 - dc 5c 0d e7 eb c0 1d 47-c1 9a c2 db 1f 7a 97 5b   .\.....G.....z.[*
*    0010 - 77 e1 45 a3 03 69 2a 6a-7b 6b 65 ea 44 6d 13 ab   w.E..i*j{ke.Dm..*

*    Start Time: 1699382749*
*    Timeout   : 7200 (sec)*
*    Verify return code: 0 (ok)*
*    Extended master secret: no*
*    Max Early Data: 0*
*---*
*read R BLOCK*
*closed*

certbot renew --dry-run

*Saving debug log to /var/log/letsencrypt/letsencrypt.log*

*- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*
*Processing /etc/letsencrypt/renewal/pruebasectigo2.uah.es.conf*
*- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*
*Failed to renew certificate pruebasectigo2.uah.es with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:1129)')))*

There is nothing wrong with that version of cURL.

So...

3 Likes

OpenSSL is not used by certbot.
wget is not used by certbot.

It doesn't matter if those work, or not, through your proxy.
All that matters is that cURL [which IS used by certbot] works through the proxy.
But it doesn't.

2 Likes

got it. Thanks so much. I'll revise the curl functioning.

I don't know how they could get a Let's Encrypt cert for this domain name using Apache HTTP Challenge. There is no A (or AAAA) record. https://letsdebug.net

Something must have changed since then. I only see the below cert but there may be a delay posting the Let's Encrypt cert

Isn't it really the python urllib3 library that Certbot uses in their setup? I don't think curl uses that same library.

In any case I agree though. Looks like some outbound comms problem with their proxy. openssl got through so doesn't look like an IP block. And, they could not reach google either.

4 Likes

I think Certbot uses requests, but for some reason I'll often see urllib3 and requests in the same trace. Probably because requests is build upon urllib3 (I've read somewhere).

2 Likes

Thanks. Does curl itself rely on requests or urllib3 ?

I still don't see a cert on censys.io from Let's Encrypt. It's usually fairly quick but delays are always possible. None on crt.sh either except that GEANT one (but delays there are common)

I'd still be curious to see output of this

certbot certificates
3 Likes

No, curl isn't a Python application, but is written in C. libcurl links to libssl and libcrypto, which are part of OpenSSL.

But it might be that curl as wel as Python use some sort of the same proxy logic and thus might fail the same way. Not sure why wget would succeed though.

2 Likes

openssl got through too. At least as far as the handshake

3 Likes

Yes, but I suspect OpenSSL bypassed the proxy by connecting directly. And wget clearly used the proxy looking at the output.

2 Likes

Hi all!
now I'm trying without using proxy just in case.
I can see that I can get acme-staging-v02.api.letsencrypt.org
]# wget acme-staging-v02.api.letsencrypt.org
--2023-11-08 11:04:42-- http://acme-staging-v02.api.letsencrypt.org/
Resolviendo acme-staging-v02.api.letsencrypt.org (acme-staging-v02.api.letsencrypt.org)... 172.65.46.172, 2606:4700:60:0:f41b:d4fe:4325:6026
Conectando con acme-staging-v02.api.letsencrypt.org (acme-staging-v02.api.letsencrypt.org)[172.65.46.172]:80... conectado.
Petición HTTP enviada, esperando respuesta... 301 Moved Permanently
Localización: https://acme-staging-v02.api.letsencrypt.org/ [siguiendo]
--2023-11-08 11:04:42-- https://acme-staging-v02.api.letsencrypt.org/
Conectando con acme-staging-v02.api.letsencrypt.org (acme-staging-v02.api.letsencrypt.org)[172.65.46.172]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 1556 (1,5K) [text/html]
Grabando a: «index.html»

index.html 100%[==========================================================================================>] 1,52K --.-KB/s en 0s

2023-11-08 11:04:43 (14,9 MB/s) - «index.html» guardado [1556/1556]

but I receive this error when trying to renew the certificate:
]# certbot renew --cert-name pruebasectigo2.uah.es --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/pruebasectigo2.uah.es.conf


Simulating renewal of an existing certificate for pruebasectigo2.uah.es

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: pruebasectigo2.uah.es
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for pruebasectigo2.uah.es - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for pruebasectigo2.uah.es - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate pruebasectigo2.uah.es with error: Some challenges have failed.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/pruebasectigo2.uah.es/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

And if I try to renew a wildcard called sectigo.uah.,es, I get this another one:
[root@pruebas-rosa ~]# certbot renew --cert-name sectigo.uah.es --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/sectigo.uah.es.conf


Simulating renewal of an existing certificate for *.sectigo.uah.es
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.
Failed to renew certificate sectigo.uah.es with error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.


All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/sectigo.uah.es/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)