New HTTPS activation failed

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hallowstreet.org

I ran this command: certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): csa@web-analysts.net

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory

(A)gree/©ancel: a

Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: n

Which names would you like to activate HTTPS for?

1: hallowstreet.org
2: www.hallowstreet.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Obtaining a new certificate
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 387, in _make_request
six.raise_from(e, None)
File “”, line 3, in raise_from
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 383, in _make_request
httplib_response = conn.getresponse()
File “/usr/lib/python3.6/http/client.py”, line 1346, in getresponse
response.begin()
File “/usr/lib/python3.6/http/client.py”, line 307, in begin
version, status, reason = self._read_status()
File “/usr/lib/python3.6/http/client.py”, line 268, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), “iso-8859-1”)
File “/usr/lib/python3.6/socket.py”, line 586, in readinto
return self._sock.recv_into(b)
File “/usr/lib/python3.6/ssl.py”, line 1012, in recv_into
return self.read(nbytes, buffer)
File “/usr/lib/python3.6/ssl.py”, line 874, in read
return self._sslobj.read(len, buffer)
File “/usr/lib/python3.6/ssl.py”, line 631, in read
v = self._sslobj.read(len, buffer)
socket.timeout: The read operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 440, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File “/usr/lib/python3/dist-packages/urllib3/util/retry.py”, line 367, in increment
raise six.reraise(type(error), error, _stacktrace)
File “/usr/lib/python3/dist-packages/six.py”, line 693, in reraise
raise value
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 601, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 389, in _make_request
self._raise_timeout(err=e, url=url, timeout_value=read_timeout)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 309, in _raise_timeout
raise ReadTimeoutError(self, url, “Read timed out. (read timeout=%s)” % timeout_value)
urllib3.exceptions.ReadTimeoutError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)

During handling of the above exception, another exception occurred:

requests.exceptions.ReadTimeout: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
    root@web:/var/www/html/hallowstreet.org/public_html#

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04 (LTS)

My hosting provider, if applicable, is: linode VPS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

2

Hi @walpi

are you sure your server is able to connect Letsencrypt?

What says

curl https://acme-v02.api.letsencrypt.org/
traceroute acme-v02.api.letsencrypt.org
3

curl https://acme-v02.api.letsencrypt.org/

Boulder: The Let's Encrypt CA 

  <div class="col-xs-6 text-left">
    <h1>Boulder<br>
    <small>The Let's Encrypt CA</small></h1>
  </div>
</div>

<div class="row">
  <div class="col-xs-8 col-xs-offset-2 text-center">
    <h3>This is an <a href="https://github.com/letsencrypt/acme-spec/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</h3>
    <p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/"><tt>https://letsencrypt.org/</tt></a> for help.</p>
    <p>If you're trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v02.api.letsencrypt.org/directory"><tt>https://acme-v02.api.letsencrypt.org/directory</a></tt>.</p>
  </div>
</div>
<div class="row">
  <div class="col-xs-4 col-xs-offset-2 text-center">
    <p><a href="https://letsencrypt.status.io" title="Twitter">
      <i class="fa fa-area-chart"></i>
      Service Status (letsencrypt.status.io)
    </a></p>
  </div>
  <div class="col-xs-4 text-center">
    <p><a href="https://twitter.com/letsencrypt" title="Twitter">
      <i class="fa fa-twitter"></i>
      Check with us on Twitter
    </a></p>
  </div>
</div> <!-- row -->
root@web:/var/www/html/hallowstreet.org/public_html# # traceroute acme-v02.api.letsencrypt.org traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets 1 45.79.12.202 (45.79.12.202) 0.913 ms 45.79.12.201 (45.79.12.201) 0.892 ms 45.79.12.202 (45.79.12.202) 0.896 ms 2 45.79.12.6 (45.79.12.6) 0.883 ms 0.878 ms 45.79.12.2 (45.79.12.2) 0.714 ms 3 de-cix.dfw.cloudflare.com (206.53.202.2) 1.879 ms 206.223.118.145 (206.223.118.145) 2.453 ms de-cix.dfw.cloudflare.com (206.53.202.2) 2.436 ms 4 * * * 5 * * * 6 * * * 7 * * * 8 * * * 9 * * * 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * root@web:/var/www/html/hallowstreet.org/public_html#
4

Same thing here, timeout to acme-v02 while trying to renew Nextcloud cert. Service shows green status, but appears to be unreachable.

5

curl works, so you can talk to the server.

Your traceroute doesn’t work. My tracert works.

Works it with ipv6? (perhaps -6)

There were some cdn - changes.

Perhaps reduce your MTU.

6

I’m now getting this:
SSLError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(“bad handshake: SysCallError(104, ‘ECONNRESET’)”,),))

7

I was only getting as far as Level 3 on 4.16.234.162, but whatever the problem was with the next hop it is now resolved, my cert is updated.

8

Mine worked now too.

9

Curious. Thanks for reporting back :+1:

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.