Max retries exceeded

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
jenkins-armv7.powerbang.ovh
jenkins-x86-64.powerbang.ovh
syncthing-nfs.powerbang.ovh
znc.powerbang.ovh
transmission.powerbang.ovh
jenkins-aarch64.powerbang.ovh
radicale.powerbang.ovh

I ran this command:
certbot --apache
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate is not yet valid (_ssl.c:1028)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
apache 2.4.63-1

The operating system my web server runs on is (include version):
Archlinux
My hosting provider, if applicable, is:
myself
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 3.3.0

in fact my certicates expirated and i did some try reading and trying to correct the errors... so Am i ban ? I thought it wouldn't last long... but tree day now, and there is no changes. what should i do ?

2

Please check the date and time of the host.

2 Likes
3

Hello @PowaBanga,

This domain name check get HTTP/1.1 503 Service Unavailable which I believe is enough to fail.

$ curl -k -Ii https://jenkins-x86-64.powerbang.ovh/.well-known/acme-challenge/pJAgRcBGpWqx9kFbbKfH3E9wYqkSvpXRPivBmkOdmra
HTTP/1.1 503 Service Unavailable
Date: Tue, 18 Mar 2025 07:30:50 GMT
Server: Apache/2.4.63 (Unix) OpenSSL/3.4.1
Connection: close
Content-Type: text/html; charset=iso-8859-1

Edit

This one the server changes following the redirect; for HTTP Server: Apache/2.4.63 (Unix) OpenSSL/3.4.1

$ curl -Ii http://jenkins-armv7.powerbang.ovh/.well-known/acme-challenge/pJAgRcBGpWqx9kFbbKfH3E9wYqkSvpXRPivBmkOdmra HTTP/1.1 301 Moved Permanently
Date: Tue, 18 Mar 2025 07:32:41 GMT
Server: Apache/2.4.63 (Unix) OpenSSL/3.4.1
Location: https://jenkins-armv7.powerbang.ovh/.well-known/acme-challenge/pJAgRcBGpWqx9kFbbKfH3E9wYqkSvpXRPivBmkOdmra
Content-Type: text/html; charset=iso-8859-1

Following the redirect to HTTPS gets HTTP/1.1 403 Forbidden and the Server: Jetty(9.4.43.v20210629) changed.

$ curl -k -Ii https://jenkins-armv7.powerbang.ovh/.well-known/acme-challenge/pJAgRcBGpWqx9kFbbKfH3E9wYqkSvpXRPivBmkOdmra
HTTP/1.1 403 Forbidden
Date: Tue, 18 Mar 2025 07:32:50 GMT
Server: Jetty(9.4.43.v20210629)
X-Content-Type-Options: nosniff
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=utf-8
X-Hudson: 1.395
X-Jenkins: 2.319.2
X-Jenkins-Session: 8c152521
Content-Length: 689
Set-Cookie: JSESSIONID.451a6030=node0gu5s5pqhwkrp1jic5xk8jv1n586.node0; Path=/; HttpOnly

Edit 2

Using the online tool Let's Debug yields these results; look through all of the carefully, they are not consistent.

1 Like
4

Confirms that the clock on the server is wrong.

5 Likes
5

This sounds like the clock on your system is very far off. What's the output of date?

3 Likes
7

yep i had to update my ntp configuration. thanks you for the answer !

2 Likes