MASTER DCV: The system failed to send an HTTP

if I agree the terms of service and save, it will show me the error message. I think the server can connect the Letsencrypt, maybe waiting till tomorrow. the SSL will renew :slight_smile:

Regards
Jun

Hi Sir.
I just checking the autoSSL, and it still not working, todays log show me only :

Log for the AutoSSL run for all users: Wednesday, December 4, 2019 7:30:07 AM GMT+0100 (Let’s Encrypt™)

7:30:07 AM AutoSSL’s configured provider is “Let’s Encrypt™”.

maybe we still have something to do with the autoSSL.
Thanks
Jun

Morning Sir,
today I got the log from cPanel for renew the domain lesbianbus.com , could you please let me know, what should I do,
Thanks for your help
Jun

6:17:55 AM WARN Cpanel::Exception/(XID dsdj7c) The system failed to send an HTTP “HEAD” request to “https://acme-v02.api.letsencrypt.org/acme/new-nonce” because of an error: Timed out while waiting for socket to become ready for reading
------ and
3:13:47 AM WARN Cpanel::Exception/(XID 4n5p2j) The system failed to send an HTTP “GET” request to “https://acme-v02.api.letsencrypt.org/directory” because of an error: SSL connection failed for acme-v02.api.letsencrypt.org: SSL wants a read first

There

is the required question.

Sir, details below, please help

[root@ns527072 ~]# traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 158.69.242.253 (158.69.242.253) 0.407 ms 0.450 ms 0.593 ms
2 10.34.66.68 (10.34.66.68) 0.572 ms 0.636 ms 0.757 ms
3 10.74.8.114 (10.74.8.114) 0.201 ms 10.74.8.112 (10.74.8.112) 0.628 ms 10.74.8.114 (10.74.8.114) 0.277 ms
4 10.95.81.8 (10.95.81.8) 1.727 ms 10.95.81.10 (10.95.81.10) 1.804 ms 10.95.81.8 (10.95.81.8) 1.602 ms
5 be100-1320.chi-1-a9.il.us (198.27.73.207) 17.986 ms be100-1324.chi-5-a9.il.us (192.99.146.141) 17.974 ms 17.979 ms
6 be100-2.chi-5-a9.il.us (178.32.135.199) 18.272 ms 13335.chi.equinix.com (208.115.136.180) 18.686 ms be100-2.chi-5-a9.il.us (178.32.135.199) 17.780 ms
7 * * 13335.chi.equinix.com (208.115.136.180) 20.733 ms
8 * * *
9 * * *
-----and
[root@ns527072 ~]# curl https://acme-v02.api.letsencrypt.org/directory
{
“1oLvpowJQ5A”: “Adding random entries to the directory”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}[root@ns527072 ~]#

That

looks wrong. Normally, that should work.

D:\temp>tracert -4 acme-v02.api.letsencrypt.org
1 <1 ms <1 ms <1 ms fritz.box [192.168.0.1]
2 5 ms 5 ms 4 ms 62.155.240.117
3 6 ms 6 ms 6 ms 217.239.50.102
4 6 ms 6 ms 6 ms 217.239.50.102
5 6 ms 6 ms 6 ms lag-10.edge4.Berlin1.Level3.net [4.68.73.5]
6 6 ms 5 ms 6 ms ae-1-3502.edge3.Berlin1.Level3.net [4.69.159.1]
7 6 ms 5 ms 5 ms unknown.Level3.net [212.162.40.34]
8 6 ms 5 ms 5 ms 172.65.32.248

172.65.32.248 is the ip of acme-v02.api.letsencrypt.org.

But curl works. Sometimes, there is a problem with a wrong MTU.

Perhaps change your MTU from 1500 to 1300 or 1200.

Is there a wrong configured proxy? Or is there a not working OCSP request, because outgoing http requests are blocked?

What’s that? Checking the domain there is a new Letsencrypt certificate - https://check-your-website.server-daten.de/?q=lesbianbus.com#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-12-05 2020-03-04 lesbianbus.com, www.lesbianbus.com - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-11-23 2020-02-21 lesbianbus.com, www.lesbianbus.com - 2 entries

And the certificate is used:

CN=lesbianbus.com
	05.12.2019
	04.03.2020
expires in 90 days	lesbianbus.com, www.lesbianbus.com - 2 entries

Looks like a temporary problem, not like a real problem.

yes,Sir
its working, but not complete, I also habe a domain that is sexhub.red need to renew, its now only the sexhub.red ok, and the en.sexhub.red and cn.sexhub.red show me blow, I feel in the Server still has something wrong

Thanks for your kindly help,
Jun

3:13:48 PM Processing “sexhub”’s local DCV results …

3:13:48 PM Analyzing “cn.sexhub.red”’s DCV results …

3:16:17 PM WARN Net::ACME2::x::HTTP::Network: The system failed to send an HTTP “POST” request to “https://acme-v02.api.letsencrypt.org/acme/authz-v3/1561026215” because of an error: Timed out while waiting for socket to become ready for reading …propagated at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Net/ACME2/HTTP.pm, line 225 …propagated at /usr/local/cpanel/3rdparty/perl/528/lib/perl5/cpanel_lib/Net/ACME2/HTTP.pm, line 162 …propagated at /usr/local/cpanel/Cpanel/SSL/Auto/Run/HandleVhost.pm, line 241

3:16:17 PM Analyzing “en.sexhub.red”’s DCV results …

3:17:50 PM WARN Cpanel::Exception/(XID 2xcgdw) The system failed to send an HTTP “POST” request to “https://acme-v02.api.letsencrypt.org/acme/new-order” because of an error: Timed out while waiting for socket to become ready for reading

3:17:50 PM The system has completed “sexhub”’s AutoSSL check.

If the certificate renew sometimes works, sometimes not - with so unspecific errors:

There

is the same error, but the topic is more then 2 years old. Did you reduce your MTU? Or has the server too much domains, so there are too much renews?

Your not working traceroute - perhaps there are instances in your network that are blocking.

Firewalls, wrong configured routers etc.

Checking your en - same “not-problem” - https://check-your-website.server-daten.de/?q=en.sexhub.red

There is a certificate:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-12-05 2020-03-04 en.sexhub.red, www.en.sexhub.red - 2 entries duplicate nr. 1

Exact time 2019-12-05 08:54:32

But you don’t use that certificate, there is another Letsencrypt certificate.

So you have your certificate.

Is there an update of AutoSSL?

Hello Sir
I got some information from the cPanel supporter, he say its not working well on the IPV6,
I think,is it possible we disable the ipv6, only using ipv4

Thanks
Jun

MTR, as an alternative, shows the route containing massive packet loss at ever hop:

[17:48:37 ns527072 root@13904671 ~]cPs# mtr -c 10 -r acme-v02.api.letsencrypt.org
HOST: ns527072.ip-158-69-242.net Loss% Snt Last Avg Best Wrst StDev

  1. 2607:5300:120:2ff:ff:ff:ff:f 0.0% 10 0.8 0.7 0.5 1.1 0.2
  2. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
  3. 2001:41d0:0:50::6:898 50.0% 10 148.2 159.8 148.2 169.2 9.4
  4. be100-100.bhs-g2-nc5.qc.ca 80.0% 10 148.4 153.1 148.4 157.9 6.7
  5. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
  6. 13335.ch.equinix.com 90.0% 10 174.3 174.3 174.3 174.3 0.0
  7. ??? 100.0 10 0.0 0.0 0.0 0.0 0.0
  8. 2606:4700:60:0:f53d:5624:85c 90.0% 10 118.0 118.0 118.0 118.0 0.0
    [17:48:52 ns527072 root@13904671 ~]cPs#

However, that appears to be only on IPv6, since specifying IPv4, works fine:

[17:49:17 ns527072 root@13904671 ~]cPs# mtr -4 -c 10 -r acme-v02.api.letsencrypt.org
HOST: ns527072.ip-158-69-242.net Loss% Snt Last Avg Best Wrst StDev

  1. 158.69.242.253 0.0% 10 0.4 0.5 0.3 0.9 0.2
  2. 10.34.66.68 0.0% 10 0.4 0.5 0.4 0.6 0.1
  3. 10.74.8.154 0.0% 10 0.5 0.5 0.3 0.6 0.1
  4. 10.95.81.8 0.0% 10 1.2 1.4 0.7 3.0 0.6
  5. be100-1320.chi-1-a9.il.us 0.0% 10 18.1 18.0 17.8 18.2 0.1
  6. be100-2.chi-5-a9.il.us 0.0% 10 18.2 18.0 17.7 18.2 0.2
  7. 13335.chi.equinix.com 0.0% 10 18.6 21.1 18.4 31.8 4.9
  8. 172.65.32.248 0.0% 10 18.7 19.2 18.5 19.5 0.3
    [17:49:31 ns527072 root@13904671 ~]cPs#

IPv6 is given priority by Let’sEncrypt. As such, you’ll need to consult your network and system administrators to determine what is causing that inconsistent packet loss on that interface.

There - https://check-your-website.server-daten.de/?q=sexhub.red - is no ipv6 defined.

Host T IP-Address is auth. ∑ Queries ∑ Timeout
sexhub.red A 158.69.242.90 Montreal/Quebec/Canada (CA) - OVH SAS Hostname: ns527072.ip-158-69-242.net yes 1 0
AAAA yes
www.sexhub.red A 158.69.242.90 Montreal/Quebec/Canada (CA) - OVH SAS Hostname: ns527072.ip-158-69-242.net yes 1 0
AAAA yes

So your ipv6 configuration is completely irrelevant.

Third time: What’s your MTU. Reduce it - MASTER DCV: The system failed to send an HTTP

Hello Sir
cPanel can’t help me to reduce the MTU, and I have no administrator, Soyoustart always also can’t help…

Thanks and have nice day
Jun
------------------ from cPanel
While investigating your last reply request, In regards to updating the MTU for the server, this is a setting that you would necessarily have to update at the Data Center/Hosting Provider. Ideally, you would want to consult your network and system administrators to determine what is causing that inconsistent packet loss on that interface and to be able to make the adjustments provided to your from Let’s Encrypt.

Sorry, that’s correct - and irrelevant. The problem is your outgoing connection, not the incoming Letsencrypt check.

But you have root access, so you should be able to check your MTU setting.

Check the output of

ifconfig

there you should find your MTU.

And you can use something like

ping -6 -s 1500 -M do acme-v02.api.letsencrypt.org
ping -6 -s 1200 -M do acme-v02.api.letsencrypt.org

to see, if there is a router with a lower MTU.

Thanks Sir.I did below:

[root@ns527072 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:25:90:D3:7C:40
inet addr:158.69.242.90 Bcast:158.69.242.255 Mask:255.255.255.0
inet6 addr: fe80::225:90ff:fed3:7c40/64 Scope:Link
inet6 addr: 2607:5300:120:25a::/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:70784731887 errors:0 dropped:0 overruns:1029447 frame:0
TX packets:130940471926 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5612347107233 (5.1 TiB) TX bytes:189545633538931 (172.3 TiB)
Memory:fb920000-fb93ffff

eth0:cp1 Link encap:Ethernet HWaddr 00:25:90:D3:7C:40
inet addr:51.79.35.146 Bcast:51.79.35.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Memory:fb920000-fb93ffff

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:9377455625 errors:0 dropped:0 overruns:0 frame:0
TX packets:9377455625 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1600400588373 (1.4 TiB) TX bytes:1600400588373 (1.4 TiB)

[root@ns527072 ~]#

and ping seems not working
[root@ns527072 ~]# ping -6 -s 1500 -M do acme-v02.api.letsencrypt.org
ping: invalid option – ‘6’
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 …] destination

Then don’t use acme…, instead, use the raw ipv6 address, so ipv6 is used. Thought, there is a -6 option.

Hello Sir
could you please write the command for me here, Im not sure, sorry for me Language,
Thanks
Jun

@JuergenAuer some versions do have a -6 option, but another thing to try for versions that don’t is ping6.

1 Like

Ah, thanks.

@June: There

is another topic with a MTU problem. Smaller MTU - ping works.

Sir I don’t understand well .
ping -6 -s 1500 -M do ----here which ipv6 aress I should put in