My ip is blocked by Let’s Encrypt

mbjsoft · May 20, 2023, 3:11am

I am getting this error every time, when i try to enable Let’s Encrypt in WHM of Cpanel.

API failure: Net::ACME2::HTTP::Network: The system failed to send an HTTP “GET” request to “https://acme-v02.api.letsencrypt.org/directory” because of an error: SSL connection failed for acme-v02.api.letsencrypt.org: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed ...propagated at /usr/local/cpanel/3rdparty/perl/536/cpanel-lib/Net/ACME2/HTTP.pm, line 225

So please check and help me to solve this.

Bruce5051 · May 20, 2023, 3:13am

Hello @mbjsoft, welcome to the Let's Encrypt community.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

mbjsoft · May 20, 2023, 3:16am

I want to install it for WHM/Cpanel .

snap info certbot
name: certbot
summary: Automatically configure HTTPS using Let's Encrypt
publisher: Certbot Project (certbot-eff✓)
store-url: Install certbot on Linux | Snap Store
contact: Issues · certbot/certbot · GitHub
license: Apache-2.0
description: |
The objective of Certbot, Let's Encrypt, and the ACME (Automated
Certificate Management Environment) protocol is to make it possible
to set up an HTTPS server and have it automatically obtain a
browser-trusted certificate, without any human intervention. This is
accomplished by running a certificate management agent on the web
server.

This agent is used to:
- Automatically prove to the Let's Encrypt CA that you control the
website
- Obtain a browser-trusted certificate and set it up on your web server
- Keep track of when your certificate is going to expire, and renew it
- Help you revoke the certificate if that ever becomes necessary.
snap-id: wy7i66qPx4neXr6m9rTh7Y40h8EhtZFh
channels:
latest/stable: 2.6.0 2023-05-09 (3024) 46MB classic
latest/candidate: ↑
latest/beta: 2.6.0 2023-05-09 (3024) 46MB classic
latest/edge: 2.7.0.dev0 2023-05-19 (3056) 46MB classic

Bruce5051 · May 20, 2023, 3:17am

Ok, and what was the command line you used to invoke Certbot?

mbjsoft · May 20, 2023, 3:19am

snap info certbot

Bruce5051 · May 20, 2023, 3:19am

No, that is the command line you used to query information about Certbot on your system.

mbjsoft · May 20, 2023, 3:20am

It is automatically installed by WHM/Cpanel Installation process.

Bruce5051 · May 20, 2023, 3:22am

OK; kindly wait to see if there are more knowledgeable Let's Encrypt community volunteers willing to assist.

I, myself, do not know anything about

mbjsoft · May 20, 2023, 3:23am

I am also using this to install again
/usr/local/cpanel/scripts/install_lets_encrypt_autossl_provider

_az · May 20, 2023, 3:31am

You need to ask cPanel support to login to your server and take a look. They wrote the Let's Encrypt AutoSSL plugin and they will be able to assist you.

mbjsoft · May 20, 2023, 3:34am

MikeMcQ · May 20, 2023, 3:42am

The "certificate verify failure" is your system is not recognizing the certs used by Let's Encrypt. You are reaching Let's Encrypt so are not blocked.

This might be because your system CA certificate store is broken or very old.

Or, sometimes there is a firewall interfering with the outbound request from your server.

Are you able to run commands at the command prompt? What does this show?

curl -v https://acme-v02.api.letsencrypt.org/directory

mbjsoft · May 20, 2023, 3:44am

root@server:~# curl -v https://acme-v02.api.letsencrypt.org/directory

*   Trying 172.65.32.248:443...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: May  6 21:31:52 2023 GMT
*  expire date: Aug  4 21:31:51 2023 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55a683ced320)
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx
< date: Sat, 20 May 2023 03:43:55 GMT
< content-type: application/json
< content-length: 752
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
{
  "AFMB4rut_xc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

rg305 · May 20, 2023, 3:45am

Your IP is clearly NOT being blocked.

mbjsoft · May 20, 2023, 3:53am

Please check it also

MikeMcQ · May 20, 2023, 4:04am

We did. You are 100% not blocked

Certificate verify succeeds using curl request

* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: May  6 21:31:52 2023 GMT
*  expire date: Aug  4 21:31:51 2023 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

HTTP 200 is success and sees data from /directory endpoint. Something is wrong with your cPanel

mbjsoft:

< HTTP/2 200
< server: nginx
< date: Sat, 20 May 2023 03:43:55 GMT
< content-type: application/json
< content-length: 752
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800

system · June 19, 2023, 4:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.