Obtaining new SSL certificate on remote server

hie we did setup a new server based on amalinux 9 and are trying to install free ssl certificates for https access to our app. but the following commands are giving errors as below
[root@pmis-server-1 ~]# certbot --nginx -d pmis-backup.nlgfc.gov.mw -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): certadmin@kwantu.net
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:1129)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

2 Likes

It looks like you tried and failed to get a cert too many times too quickly. You are now temporarily blocked.

We can try the Let's Encrypt Staging system to test while you wait. What does this say

certbot certonly --dry-run --nginx -d pmis-backup.nlgfc.gov.mw
4 Likes

sudo certbot certonly --dry-run --nginx -d pmis-backup.nlgfc.gov.mw
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:1129)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

2 Likes

Are you able to make outbound requests to other domains?

What do these show?

curl https://ifconfig.io
curl -I https://cloudflare.com
curl -I https://google.com
3 Likes

curl https://ifconfig.io gives
41.77.13.186
curl -I https://cloudflare.com gives
HTTP/2 301
date: Tue, 18 Jun 2024 16:48:33 GMT
content-type: text/html
content-length: 167
location: https://www.cloudflare.com/
cache-control: max-age=3600
expires: Tue, 18 Jun 2024 17:48:33 GMT
set-cookie: __cf_bm=5EX1LskhYkR6WvY9gM7jzYfzVgwcmqlPJy23Hv6kEqk-1718729313-1.0.1.1-AfRJWjPBpdSHBk9cpkdlLn0sfL1p1EPV4D7RpPgNTQf542hXTzXbNuqsyzEwRBZrKGLSS3eW4R_dNRLG5oQB3Q; path=/; expires=Tue, 18-Jun-24 17:18:33 GMT; domain=.cloudflare.com; HttpOnly; Secure; SameSite=None
report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=BztS%2By7wq3A08sPqLQ%2BR5g%2Bf1JdOetCkCDh7SwsDDkt1FQgYhibKTvcvlNFdunLvJp2MnuQNcDj65x0PuGXNPyy314kp%2BUmeq2Chm%2B5rWwQvp%2BIs0cePFvsL9KjMrBmk"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
strict-transport-security: max-age=15780000; includeSubDomains
server: cloudflare
cf-ray: 895cc48299d14fcb-JNB
alt-svc: h3=":443"; ma=86400

curl -I https://google.com gives
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-8RMjSDoRR0I5sjtjWqZ-8A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
date: Tue, 18 Jun 2024 16:49:05 GMT
expires: Thu, 18 Jul 2024 16:49:05 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

2 Likes

And what about this? I wonder if your local network routing is correct

sudo traceroute -T -p443 acme-v02.api.letsencrypt.org

This URL has an IP that starts with 172. This can cause problems if your local network uses the "private" section of 172 for its own but includes too large of a range and also includes non-private 172 IP addresses.

3 Likes

sudo traceroute -T -p443 acme-v02.api.letsencrypt.org gives

traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 chipata2.ldf.gov.mw (192.168.0.4) 0.412 ms 0.411 ms 0.465 ms
2 41.77.13.185 (41.77.13.185) 2.628 ms 2.626 ms 2.601 ms
3 196.250.235.54 (196.250.235.54) 28.035 ms 27.996 ms 27.957 ms
4 154.66.247.117 (154.66.247.117) 32.582 ms 32.595 ms 32.503 ms
5 154.66.247.200 (154.66.247.200) 46.466 ms 154.66.247.223 (154.66.247.223) 40.697 ms 40.652 ms
6 cloudflare.ixp.joburg (196.60.8.198) 53.242 ms 54.336 ms 46.676 ms
7 197.234.240.21 (197.234.240.21) 41.103 ms cloudflare.ixp.joburg (196.60.8.198) 46.986 ms 197.234.240.21 (197.234.240.21) 42.027 ms
8 172.65.32.248 (172.65.32.248) 45.789 ms 45.771 ms 40.173 ms

2 Likes

We are checking something offline. Thanks for all the great info. Will let you know.

3 Likes

@erasmus While we wait there are a couple other things to check

What do these show

curl https://acme-v02.api.letsencrypt.org/directory
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head

And can you describe how you installed Certbot (pip, apt, snap, ...) and show its version from

sudo certbot --version
3 Likes

Your IP was blocked because of previously being part of DDoS traffic. I've unblocked it now.

7 Likes

looks like that was it now I can curl just fine. Thank you kindly

5 Likes