Please unblock my IP Address

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
praten.tplinkdns.com

I ran this command:
certbot certonly
--manual \
--preferred-challenges=dns
--server https://acme-v02.api.letsencrypt.org/directory --agree-tos
-d "praten.tplinkdns.com"

It produced this output:
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')))

My web server is (include version):

The operating system my web server runs on is (include version):
Apple iMac M1

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.7.2

That's not the error message for a blocked IP address.

Your system is not validating the Let's Encrypt ACME APIs certificate properly. This may be due to outdated Python packages (e.g. request) or perhaps an outdated OpenSSL. Or someone is doing a Man-in-the-Middle attack on the API and providing a fake certificate, hard to tell.

You could check what happens when you try openssl s_client -connect acme-v02.api.letsencrypt.org:443 -servername acme-v02.api.letsencrypt.org, assuming this is available on a Mac.

It seems like your MAC OS is a bit outdated.
If it can be updated, that would be my first choice.
If not, you could try obtaining a cert from another free CA.

Can you connect to anything outbound using HTTPS?

Do either of these work?

curl -I https://www.cloudflare.com
curl -I https://www.google.com

Yes l can connect to other https destinations

The macos was recently updated to Sonoma 14.1. The system is upto date. I also did the brew update to bring all applications inline with the OS upgrade.

I think openssl is fine. I am running version 1.1.1w. The check returned:-

depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
---
Certificate chain
0 s:CN = acme-v02.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFwjCCBKqgAwIBAgISBJz9MhmDxtcT/HyKX/GNSj8pMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA5MDUwNTA4MTdaFw0yMzEyMDQwNTA4MTZaMCcxJTAjBgNVBAMT
HGFjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDSwewhK7n44aX44hf+zkPGZOKRzUMDFYd2EXF4mlV4qDWt
GSOdaBQUuMvFgA/uyIZcV+dCxWweVBtKfpdM2R+FwBnMjzpawmUvQolK5CunfwI8
HL8mzJ5Y/YjnDohzokGY09WeDIHvHa10QqeF+J+0uuoIswoaJifXwKbT0Gx345zW
NVZevxDRGE1ASUeRgQHBmZ9uV7wn1tngszoMfaLPJ4kdGmhsKwDdkL2aXIleRfFU
2tKIyxFCzZIjQkSBSbc0izIdij/NSAY6VLY2itRr3UelaNZMM9Zt6ib86QVvHJus
8atvYAXziJMEUJbwYldQETYuLa2+X3NCjI00A66LAgMBAAGjggLbMIIC1zAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwHQYDVR0OBBYEFJ1CEUYG98EFCmZrhh9b23M76OeJMB8GA1UdIwQY
MBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEF
BQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8v
cjMuaS5sZW5jci5vcmcvMIHjBgNVHREEgdswgdiCHmFjbWUtdjAyLTEuYXBpLmxl
dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItMi5hcGkubGV0c2VuY3J5cHQub3Jngh5h
Y21lLXYwMi0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTQuYXBpLmxl
dHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItNS5hcGkubGV0c2VuY3J5cHQub3Jnghxh
Y21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnghhpbmNpZGVudC5sZXRzZW5jcnlw
dC5vcmcwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEEBgorBgEEAdZ5AgQCBIH1BIHy
APAAdQC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYpj9LwRAAAE
AwBGMEQCIDCOcqJ9fABkYn/+UC5v0JCkUoL2wRr57nBk2xzs+rJRAiA6J2qOylpA
n4UhrcydzX1AiBRQWl4y4u0v8wO1LrW50AB3AOg+0No+9QY1MudXKLyJa8kD08vR
EWvs62nhd31tBr1uAAABimP0vBsAAAQDAEgwRgIhAISl9+b1VPLmVdmYgHUVylO6
N9jsgsswKWsFEkxj+fEdAiEAw8YT4DBf40sBJqKn0dw+9CT0aVzM3R8Lckod6oeB
nb0wDQYJKoZIhvcNAQELBQADggEBAH4omwov1V9Yrxwt8sWHI4klnTQfXqaO+O0o
ciAbUnJxxkF6eYnXPJ8go5DIuBBpl8M1NfgOfgnyUnqsx7phbYI3fI7jP3UaA73f
9dTP80yZYwUYaJ4inoaL84HA9aBplZHMOG4bShGtbfLhQ1+jrlA9MxzTCdJ2h7D6
S57WqrHrPCHA+iBUASOpqzM3aqYLaL0wEJTHNFjwEyw/kBV8/3h5SrXky76Xl3Y4
Q4gh2VtZE+1d2biZKTkN8DhsGWTLKGV6Wr3hghPSAyh+T7RvwoV3ZMOPuD9Uj1FY
EcNoRj2o4S1hF4JbUwI5cpF+d1fVczL6l/8nW/hfzONcO3Hf2d8=
-----END CERTIFICATE-----
subject=CN = acme-v02.api.letsencrypt.org
issuer=C = US, O = Let's Encrypt, CN = R3

OpenSSL will continu even with warning/errors. You can see the same warning:

So your Mac doesn't have the ISRG Root X1 certificate in its root store. It's included since macOS >= 10.12.1. What version are you running on your Apple iMac M1?

I have downloaded the ISRG Root X1 certificate and added it to the keychain. Certbot still returns the SSL error. I downloaded the Cross signed certs for X1 and X2. Are these the right ones to download?

What about OpenSSL?

No, you want the self-signed certificates, as they're root certificates.

Openssl appears to be fine. All applications using openssl seem to be working fine too, except certbot of course.
I downloaded the root self signed certs and imported them into the keychain. But the result is the same when l run certbot.

Using the online tool Let's Debug yields these results https://letsdebug.net/praten.tplinkdns.com/1658572

And using this online tool Open Port Check Tool - Test Port Forwarding on Your Router shows:

image989×754 46 KB

I find from my location with nmap

$ nmap -Pn -p80,443 praten.tplinkdns.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-11-01 16:51 UTC
Nmap scan report for praten.tplinkdns.com (82.26.204.145)
Host is up.
rDNS record for 82.26.204.145: cpc89010-gill18-2-0-cust3216.20-1.cable.virginm.net

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.52 seconds

There seem to be no open ports for the FQDN praten.tplinkdns.com

It appeared fine previously too, but it did have the warning present. How is that now?

Which version of the Python packages certifi and requests are used?

The error message concerns outbound call to lets encrypt. It has worked before with the current configuration. Or am l missing something? Do l need to open ports now Lets encrypt has moved their hosting?

Sorry; I guess I missed stating my post was only supplemental information.

Ok understood and thanks

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.