hie we did setup a new server based on amalinux 9 and are trying to install free ssl certificates for https access to our app. but the following commands are giving errors as below
[root@pmis-server-1 ~]# certbot --nginx -d pmis-backup.nlgfc.gov.mw -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): certadmin@kwantu.net
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:1129)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
It looks like you tried and failed to get a cert too many times too quickly. You are now temporarily blocked.
We can try the Let's Encrypt Staging system to test while you wait. What does this say
certbot certonly --dry-run --nginx -d pmis-backup.nlgfc.gov.mw
sudo certbot certonly --dry-run --nginx -d pmis-backup.nlgfc.gov.mw
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:1129)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Are you able to make outbound requests to other domains?
What do these show?
curl https://ifconfig.io
curl -I https://cloudflare.com
curl -I https://google.com
curl https://ifconfig.io gives
41.77.13.186
curl -I https://cloudflare.com gives
HTTP/2 301
date: Tue, 18 Jun 2024 16:48:33 GMT
content-type: text/html
content-length: 167
location: https://www.cloudflare.com/
cache-control: max-age=3600
expires: Tue, 18 Jun 2024 17:48:33 GMT
set-cookie: __cf_bm=5EX1LskhYkR6WvY9gM7jzYfzVgwcmqlPJy23Hv6kEqk-1718729313-1.0.1.1-AfRJWjPBpdSHBk9cpkdlLn0sfL1p1EPV4D7RpPgNTQf542hXTzXbNuqsyzEwRBZrKGLSS3eW4R_dNRLG5oQB3Q; path=/; expires=Tue, 18-Jun-24 17:18:33 GMT; domain=.cloudflare.com; HttpOnly; Secure; SameSite=None
report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=BztS%2By7wq3A08sPqLQ%2BR5g%2Bf1JdOetCkCDh7SwsDDkt1FQgYhibKTvcvlNFdunLvJp2MnuQNcDj65x0PuGXNPyy314kp%2BUmeq2Chm%2B5rWwQvp%2BIs0cePFvsL9KjMrBmk"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
strict-transport-security: max-age=15780000; includeSubDomains
server: cloudflare
cf-ray: 895cc48299d14fcb-JNB
alt-svc: h3=":443"; ma=86400
curl -I https://google.com gives
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-8RMjSDoRR0I5sjtjWqZ-8A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
date: Tue, 18 Jun 2024 16:49:05 GMT
expires: Thu, 18 Jul 2024 16:49:05 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
And what about this? I wonder if your local network routing is correct
sudo traceroute -T -p443 acme-v02.api.letsencrypt.org
This URL has an IP that starts with 172. This can cause problems if your local network uses the "private" section of 172 for its own but includes too large of a range and also includes non-private 172 IP addresses.
sudo traceroute -T -p443 acme-v02.api.letsencrypt.org gives
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 chipata2.ldf.gov.mw (192.168.0.4) 0.412 ms 0.411 ms 0.465 ms
2 41.77.13.185 (41.77.13.185) 2.628 ms 2.626 ms 2.601 ms
3 196.250.235.54 (196.250.235.54) 28.035 ms 27.996 ms 27.957 ms
4 154.66.247.117 (154.66.247.117) 32.582 ms 32.595 ms 32.503 ms
5 154.66.247.200 (154.66.247.200) 46.466 ms 154.66.247.223 (154.66.247.223) 40.697 ms 40.652 ms
6 cloudflare.ixp.joburg (196.60.8.198) 53.242 ms 54.336 ms 46.676 ms
7 197.234.240.21 (197.234.240.21) 41.103 ms cloudflare.ixp.joburg (196.60.8.198) 46.986 ms 197.234.240.21 (197.234.240.21) 42.027 ms
8 172.65.32.248 (172.65.32.248) 45.789 ms 45.771 ms 40.173 ms
We are checking something offline. Thanks for all the great info. Will let you know.
@erasmus While we wait there are a couple other things to check
What do these show
curl https://acme-v02.api.letsencrypt.org/directory
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
And can you describe how you installed Certbot (pip, apt, snap, ...) and show its version from
sudo certbot --version
Your IP was blocked because of previously being part of DDoS traffic. I've unblocked it now.
looks like that was it now I can curl just fine. Thank you kindly
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.