Max retries exceeded with - acme-v01.api.letsencrypt.org:443

Help
1

I managed to create a certificate using letsencrypt-auto yesterday, without issues on my Ubuntu 14.04 server. I need to generate another one, and using the following command as root:

letsencrupt-auto certonly --standalone

After quite a while, I get the following error:

An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7fa079e9a810>: Failed to establish a new connection: [Errno 101] Network is unreachable',))

Here's the full output from /var/log/letsencrypt/letsencrypt.log

2016-02-12 08:19:18,750:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-02-12 08:19:18,750:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-02-12 08:19:18,751:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.0
2016-02-12 08:19:18,751:DEBUG:letsencrypt.cli:Arguments: ['--no-self-upgrade', '--standalone', '-d', 'foodacademy.dedicated.co.za', '-d', 'www.foodacademy.dedicated.co.za']
2016-02-12 08:19:18,751:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-02-12 08:19:18,759:DEBUG:letsencrypt.cli:Requested authenticator standalone and installer None
2016-02-12 08:19:19,733:DEBUG:letsencrypt.display.ops:Single candidate plugin: * standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = letsencrypt.plugins.standalone:Authenticator
Initialized: <letsencrypt.plugins.standalone.Authenticator object at 0x7f69e96d8850>
Prep: True
2016-02-12 08:19:19,734:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.standalone.Authenticator object at 0x7f69e96d8850> and installer None
2016-02-12 08:19:19,781:DEBUG:letsencrypt.cli:Picked account: <Account(365591a7b0ea8771459c189d7421be32)>
2016-02-12 08:19:19,781:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-02-12 08:19:19,802:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-02-12 08:21:27,218:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in
sys.exit(main())
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 1987, in main
return config.func(config, plugins)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 690, in obtain_cert
le_client = _init_le_client(config, authenticator, installer)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py", line 213, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 183, in init
acme = acme_from_config_key(config, self.account.key)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 41, in acme_from_config_key
return acme_client.Client(config.server, key=key, net=net)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 63, in init
self.net.get(directory).json())
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 619, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py", line 601, in _send_request
response = requests.request(method, url, *args, **kwargs)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/api.py", line 53, in request
return session.request(method=method, url=url, **kwargs)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/sessions.py", line 468, in request
resp = self.send(prep, **send_kwargs)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/adapters.py", line 437, in send
raise ConnectionError(e, request=request)
ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f69e9669890>: Failed to establish a new connection: [Errno 101] Network is unreachable',))

I tried disabling my firewall, but still getting the same issue. Any idea what could be wrong?

1 Like
2

Just decided to give this a retry, since this morning. And still having this issue, not sure why this is happening?

3

Ok, so just removed letsencrypt along with /etc/letsencrypt, and it’s getting past the line that says “Requesting root privileges to run letsencrypt…” Is this happening because I was trying to generate a second certificate on my server for another domain?

4

Still stuck, I’ve generated one cert on my server, and since then, running

letsencrypt-auto certonly --standalone

doesn’t work. Still getting the HTTPSConnectionPool error.

5

Can you try a traceroute to acme-v01.api.letsencrypt.org?

And simple telnet acme-v01.api.letsencrypt.org 443?

This doesn’t seem related, but there is no DNS record for the www. version of the name you were requesting (but that ought to produce a different error later on in the process).

1 Like
6

Thanks for the reply @schoen. I ran a traceroute and got the following:

1?: [LOCALHOST] pmtu 1500
1: hexiuriqioot.hosted.co.za 0.993ms
1: hexiuriqioot.hosted.co.za 0.633ms
2: 196.30.42.129 24.008ms
3: te9-6-gw21jnb6.za.mtnns.net 3.864ms
4: 196.31.220.20 0.667ms asymm 5
5: 196.31.220.11 7.611ms
6: 196.44.31.96 182.145ms asymm 21
7: ct-cr-2.za--rb-cr-1.za.mtnns.net 18.973ms
8: 196.44.29.169 179.409ms asymm 18
9: LO-MTN-MSE-PE-01--ct-cr-3.za.mtnns.net 164.485ms
10: 41.181.245.250 162.531ms
11: 41.181.190.197 174.939ms
12: 41.181.245.185 183.076ms
13: 41.181.245.189 181.229ms
14: 80.249.212.8 262.443ms
15: 200.16.69.0 283.589ms
16: core01.maiquetia.globenet.net 309.358ms
17: core01.ftlz.globenet.net 337.634ms asymm 15
18: 200.16.69.45 371.439ms asymm 16
19: 138.0.40.30 374.452ms asymm 17
20: 189.1.44.34 374.647ms asymm 18
21: 201.159.157.250 381.487ms asymm 19
22: a104-105-129-75.deploy.static.akamaitechnologies.com 384.603ms reached
Resume: pmtu 1500 hops 22 back 20

telnet acme-v01.api.letsencrypt.org 443

Trying 104.105.129.75...
Connected to e981.dscb.akamaiedge.net.
Escape character is '^]'.

I tried entirely deleting the /etc/letsencrypt folder, to attempt starting from scratch, doesn't work either. Did a git reset --hard on the letsencrypt repo as well, and with no success...

7

All I want to is regenerate the certificate, as I need to add more domains to it

8

Ok, for some reason, after running traceroute and telnet, I was able to generate a new certificate!

9

I’m currently having the same problem from a Linode in Atlanta. My Linode in New Jersey is working fine.

DNS info:

# host acme-v01.api.letsencrypt.org
acme-v01.api.letsencrypt.org is an alias for api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.net is an alias for e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net has address 172.224.201.128
e981.dscb.akamaiedge.net has IPv6 address 2600:1402:a:29f::3d5
e981.dscb.akamaiedge.net has IPv6 address 2600:1402:a:2a2::3d5

And a raw test:

# curl https://acme-v01.api.letsencrypt.org/
curl: (7) Failed to connect to acme-v01.api.letsencrypt.org port 443: Connection refused

(The working node gets a different address from the DNS, so this looks like a node failure…)

10

Hello guys, I have same problem. It seem that address https://acme-v01.api.letsencrypt.org/directory is blocked for my IP.

Here is error:
Checking for new version... Requesting root privileges to run certbot... /root/.local/share/letsencrypt/bin/letsencrypt certonly --config /etc/letsencrypt/lecli.ini -d somedomain.com -d www.somedomain.com An unexpected error occurred: ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x2732410>: Failed to establish a new connection: [Errno 101] Network is unreachable',)) Please see the logfiles in /var/log/letsencrypt for more details.
DNS and ping work from the server, I cant only reach port 443. IMHO it is looks like that IP is banned. From other servers everything works fine.

[root@anniebabymonitor letsencrypt]# host acme-v01.api.letsencrypt.org
acme-v01.api.letsencrypt.org is an alias for api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.NET is an alias for e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net has address 23.9.3.118
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:10e:185::3d5
e981.dscb.akamaiedge.net has IPv6 address 2a02:26f0:10e:1a0::3d5
[root@anniebabymonitor letsencrypt]# ^C
[root@anniebabymonitor letsencrypt]# ping acme-v01.api.letsencrypt.org
PING e981.dscb.akamaiedge.net (23.9.3.118) 56(84) bytes of data.
64 bytes from a23-9-3-118.deploy.static.akamaitechnologies.com (23.9.3.118): icmp_seq=1 ttl=57 time=9.50 ms
64 bytes from a23-9-3-118.deploy.static.akamaitechnologies.com (23.9.3.118): icmp_seq=2 ttl=57 time=9.59 ms
64 bytes from a23-9-3-118.deploy.static.akamaitechnologies.com (23.9.3.118): icmp_seq=3 ttl=57 time=10.0 ms
^C
--- e981.dscb.akamaiedge.net ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 9.507/9.725/10.079/0.264 ms

11

@funko Have you check your outbound firewall rules + logs to make sure you arent blocking it? Have you watched your firewall logs when you make the request?

12

Same issue on Ubuntu 16.04.

# traceroute -n -p 443 acme-v01.api.letsencrypt.org
traceroute to acme-v01.api.letsencrypt.org (23.15.99.14), 30 hops max, 60 byte packets
 1  103.8.79.193  0.236 ms  0.183 ms  0.251 ms
 2  103.8.78.33  0.454 ms  0.488 ms  0.429 ms
 3  3.3.3.1  30.019 ms  29.962 ms  29.819 ms
 4  154.18.2.5  16.020 ms  15.951 ms  16.239 ms
 5  154.54.44.173  186.439 ms 154.24.45.94  187.689 ms 154.54.44.173  186.466 ms
 6  154.54.31.54  192.581 ms 154.54.26.42  192.402 ms  192.524 ms
 7  38.104.84.42  254.194 ms  253.876 ms  254.047 ms
 8  61.14.158.49  217.344 ms  218.168 ms  218.096 ms
 9  61.14.157.186  215.266 ms  215.478 ms  215.416 ms
10  61.8.59.246  216.894 ms  219.635 ms  219.541 ms
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
13

Same issue on ubuntu 16.04 on digital ocean. Running “curl https://acme-v01.api.letsencrypt.org/” seemed to fix it…

14

I’m also having these problem on Ubuntu Server 16.10. Curling the site didn’t help for me, and traceroute -p 443 acme-v01.api.letsencrypt.org just leaves me in stars. :confused:

15

Come to think about it… That doesn’t work on port 443 for google.com either. It does however work with the -Tflag (TCP ACKs on), so maybe it just can’t/won’t do ICMP over SSL? With -T I can successfully traceroute acme-v01.api.letsencrypt.org -p 443 -T.

EDIT: or just plain traceroute acme-v01.api.letsencrypt.org 443 works.

16

I follow your steps,and do the same,it doesn’t work.
Then ,after I run curl https://acme-v01.api.letsencrypt.org/directory,I try again, the problem is gone.
I don’t know hte reasion.