MASTER DCV: The system failed to send an HTTP

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
lesbianbus.com

I ran this command:
I using the Cpanel AutoSSL

It produced this output:
MASTER DCV: The system failed to send an HTTP

My web server is (include version):
dedicated servers -soyoustart

The operating system my web server runs on is (include version):
Cpanel 11.68 autoinstaller (CentOS 6 64bit)

My hosting provider, if applicable, is:
soyoustart

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Cpanel 11.68

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Hello Sir
today I got the email from Cpanel and he say below. please help what should I do.
in this server I have another domains and I did the same DNS settings, but only this domain have the problem with the renew.

MASTER DCV: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “https://acme-v01.api.letsencrypt.org/directory” because of an error: SSL connection failed for acme-v01.api.letsencrypt.org: SSL wants a read first Cpanel::Exception::HTTP::Network/(XID a65745) The system failed to send an HTTP (Hypertext Transfer Protocol) “POST” request to “https://acme-v01.api.letsencrypt.org/acme/new-authz” because of an error: Timed out while waiting for socket to become ready for reading

-------------and ------------------
MASTER DCV: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “https://acme-v01.api.letsencrypt.org/directory” because of an error: SSL connection failed for acme-v01.api.letsencrypt.org: SSL wants a read first Cpanel::Exception::HTTP::Network/(XID sudk9r) The system failed to send an HTTP (Hypertext Transfer Protocol) “POST” request to “https://acme-v01.api.letsencrypt.org/acme/new-authz” because of an error: SSL connection failed for acme-v01.api.letsencrypt.org: SSL wants a read first

Hi @June

Acme-v01 is deprecated, you can't create a new account.

So you cPanel may be too old -> update your cPanel.

This is the correct answer. The oldest version that is supported by cPanel Inc. is cPanel 78.

There is an additional restriction if you want to use the Let's Encrypt AutoSSL provider:

We do not support Let's Encrypt's new API in cPanel & WHM versions 82 and earlier. If you want to use this plugin, we recommend that you upgrade to cPanel & WHM version 84 and later.

Thanks, Yes, for now I using 11.82.0.16, its too old and I will upgrade the cPanel.
[2019-12-01 02:00:13 -0500] Running version ‘11.82.0.16’ of updatenow.
[2019-12-01 02:00:13 -0500] Detected version ‘11.82.0.16’ from version file.

You should still be able to GET the ACME v1 directory without error. The OP's error messages seem unrelated to account creation and I'd expect the ACME v1 deprecation to only affect ACME v1 new-account requests at the current time.

Hello Sir
I just update the cPanel to v84.0.15, so anything else that I should continue to do for the autoSSL or I do nothing. everything will be working well.

Regards
Jun

and I just agree the terms of service and then Save it
1- I agree to these terms of service.
2- create a new registration with the provider.

but WHM give me the news below:

API failure: Net::ACME2::HTTP::Network: The system failed to send an HTTP “GET” request to “https://acme-v02.api.letsencrypt.org/directory” because of an error: SSL connection failed for acme-v02.api.letsencrypt.org: SSL wants a read first …propagated at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Net/ACME2/HTTP.pm, line 225

Is your server able to connect Letsencrypt? What says

traceroute  acme-v02.api.letsencrypt.org.
curl https:// acme-v02.api.letsencrypt.org/directory

ssl.JPG899×276 35.6 KB

Regards
Jun

Hi Sir.
I just checking the autoSSL, and it still not working, todays log show me only :

Log for the AutoSSL run for all users: Wednesday, December 4, 2019 7:30:07 AM GMT+0100 (Let’s Encrypt™)

7:30:07 AM AutoSSL’s configured provider is “Let’s Encrypt™”.

maybe we still have something to do with the autoSSL.
Thanks
Jun

Morning Sir,
today I got the log from cPanel for renew the domain lesbianbus.com , could you please let me know, what should I do,
Thanks for your help
Jun

6:17:55 AM WARN Cpanel::Exception/(XID dsdj7c) The system failed to send an HTTP “HEAD” request to “https://acme-v02.api.letsencrypt.org/acme/new-nonce” because of an error: Timed out while waiting for socket to become ready for reading
------ and
3:13:47 AM WARN Cpanel::Exception/(XID 4n5p2j) The system failed to send an HTTP “GET” request to “https://acme-v02.api.letsencrypt.org/directory” because of an error: SSL connection failed for acme-v02.api.letsencrypt.org: SSL wants a read first

There

is the required question.

Sir, details below, please help

[root@ns527072 ~]# traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 158.69.242.253 (158.69.242.253) 0.407 ms 0.450 ms 0.593 ms
2 10.34.66.68 (10.34.66.68) 0.572 ms 0.636 ms 0.757 ms
3 10.74.8.114 (10.74.8.114) 0.201 ms 10.74.8.112 (10.74.8.112) 0.628 ms 10.74.8.114 (10.74.8.114) 0.277 ms
4 10.95.81.8 (10.95.81.8) 1.727 ms 10.95.81.10 (10.95.81.10) 1.804 ms 10.95.81.8 (10.95.81.8) 1.602 ms
5 be100-1320.chi-1-a9.il.us (198.27.73.207) 17.986 ms be100-1324.chi-5-a9.il.us (192.99.146.141) 17.974 ms 17.979 ms
6 be100-2.chi-5-a9.il.us (178.32.135.199) 18.272 ms 13335.chi.equinix.com (208.115.136.180) 18.686 ms be100-2.chi-5-a9.il.us (178.32.135.199) 17.780 ms
7 * * 13335.chi.equinix.com (208.115.136.180) 20.733 ms
8 * * *
9 * * *
-----and
[root@ns527072 ~]# curl https://acme-v02.api.letsencrypt.org/directory
{
“1oLvpowJQ5A”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert”
}[root@ns527072 ~]#

That

looks wrong. Normally, that should work.

D:\temp>tracert -4 acme-v02.api.letsencrypt.org
1 <1 ms <1 ms <1 ms fritz.box [192.168.0.1]
2 5 ms 5 ms 4 ms 62.155.240.117
3 6 ms 6 ms 6 ms 217.239.50.102
4 6 ms 6 ms 6 ms 217.239.50.102
5 6 ms 6 ms 6 ms lag-10.edge4.Berlin1.Level3.net [4.68.73.5]
6 6 ms 5 ms 6 ms ae-1-3502.edge3.Berlin1.Level3.net [4.69.159.1]
7 6 ms 5 ms 5 ms unknown.Level3.net [212.162.40.34]
8 6 ms 5 ms 5 ms 172.65.32.248

172.65.32.248 is the ip of acme-v02.api.letsencrypt.org.

But curl works. Sometimes, there is a problem with a wrong MTU.

Perhaps change your MTU from 1500 to 1300 or 1200.

Is there a wrong configured proxy? Or is there a not working OCSP request, because outgoing http requests are blocked?

What's that? Checking the domain there is a new Letsencrypt certificate - https://check-your-website.server-daten.de/?q=lesbianbus.com#ct-logs

And the certificate is used:

CN=lesbianbus.com
	05.12.2019
	04.03.2020
expires in 90 days	lesbianbus.com, www.lesbianbus.com - 2 entries

Looks like a temporary problem, not like a real problem.

yes,Sir
its working, but not complete, I also habe a domain that is sexhub.red need to renew, its now only the sexhub.red ok, and the en.sexhub.red and cn.sexhub.red show me blow, I feel in the Server still has something wrong

Thanks for your kindly help,
Jun

3:13:48 PM Processing “sexhub”’s local DCV results …

3:13:48 PM Analyzing “cn.sexhub.red”’s DCV results …

3:16:17 PM WARN Net::ACME2::HTTP::Network: The system failed to send an HTTP “POST” request to “https://acme-v02.api.letsencrypt.org/acme/authz-v3/1561026215” because of an error: Timed out while waiting for socket to become ready for reading …propagated at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Net/ACME2/HTTP.pm, line 225 …propagated at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Net/ACME2/HTTP.pm, line 162 …propagated at /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm, line 241

3:16:17 PM Analyzing “en.sexhub.red”’s DCV results …

3:17:50 PM WARN Cpanel::Exception/(XID 2xcgdw) The system failed to send an HTTP “POST” request to “https://acme-v02.api.letsencrypt.org/acme/new-order” because of an error: Timed out while waiting for socket to become ready for reading

3:17:50 PM The system has completed “sexhub”’s AutoSSL check.

If the certificate renew sometimes works, sometimes not - with so unspecific errors:

There

https://forums.cpanel.net/threads/lets-encrypt-service-issues.601339/

is the same error, but the topic is more then 2 years old. Did you reduce your MTU? Or has the server too much domains, so there are too much renews?

Your not working traceroute - perhaps there are instances in your network that are blocking.

Firewalls, wrong configured routers etc.

Checking your en - same "not-problem" - https://check-your-website.server-daten.de/?q=en.sexhub.red

There is a certificate:

Exact time 2019-12-05 08:54:32

But you don't use that certificate, there is another Letsencrypt certificate.

So you have your certificate.

Is there an update of AutoSSL?

Hello Sir
I got some information from the cPanel supporter, he say its not working well on the IPV6,
I think,is it possible we disable the ipv6, only using ipv4

Thanks
Jun

MTR, as an alternative, shows the route containing massive packet loss at ever hop:

[17:48:37 ns527072 root@13904671 ~]cPs# mtr -c 10 -r acme-v02.api.letsencrypt.org
HOST: ns527072.ip-158-69-242.net Loss% Snt Last Avg Best Wrst StDev

1. 2607:5300:120:2ff:ff:ff:ff:f 0.0% 10 0.8 0.7 0.5 1.1 0.2
2. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
3. 2001:41d0:0:50::6:898 50.0% 10 148.2 159.8 148.2 169.2 9.4
4. be100-100.bhs-g2-nc5.qc.ca 80.0% 10 148.4 153.1 148.4 157.9 6.7
5. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
6. 13335.ch.equinix.com 90.0% 10 174.3 174.3 174.3 174.3 0.0
7. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
8. 2606:4700:60:0:f53d:5624:85c 90.0% 10 118.0 118.0 118.0 118.0 0.0
   [17:48:52 ns527072 root@13904671 ~]cPs#

However, that appears to be only on IPv6, since specifying IPv4, works fine:

[17:49:17 ns527072 root@13904671 ~]cPs# mtr -4 -c 10 -r acme-v02.api.letsencrypt.org
HOST: ns527072.ip-158-69-242.net Loss% Snt Last Avg Best Wrst StDev

1. 158.69.242.253 0.0% 10 0.4 0.5 0.3 0.9 0.2
2. 10.34.66.68 0.0% 10 0.4 0.5 0.4 0.6 0.1
3. 10.74.8.154 0.0% 10 0.5 0.5 0.3 0.6 0.1
4. 10.95.81.8 0.0% 10 1.2 1.4 0.7 3.0 0.6
5. be100-1320.chi-1-a9.il.us 0.0% 10 18.1 18.0 17.8 18.2 0.1
6. be100-2.chi-5-a9.il.us 0.0% 10 18.2 18.0 17.7 18.2 0.2
7. 13335.chi.equinix.com 0.0% 10 18.6 21.1 18.4 31.8 4.9
8. 172.65.32.248 0.0% 10 18.7 19.2 18.5 19.5 0.3
   [17:49:31 ns527072 root@13904671 ~]cPs#

IPv6 is given priority by Let’sEncrypt. As such, you’ll need to consult your network and system administrators to determine what is causing that inconsistent packet loss on that interface.

There - https://check-your-website.server-daten.de/?q=sexhub.red - is no ipv6 defined.

So your ipv6 configuration is completely irrelevant.

Third time: What's your MTU. Reduce it - MASTER DCV: The system failed to send an HTTP - #14 by JuergenAuer