Hello,
Can anyone help me with the following error when connecting from my AWS instance to Let's Encrypt to obtain an SSL certificate for my test domain? I can assure you that the firewall is not blocking me, but somehow I am unable to reach Let's Encrypt. When I test google.com, I receive a positive response and can connect to my internal network, but I cannot connect to all sites. I have opened port 443 to IP address 0.0.0.0/0
I ran this command: ```
sudo certbot certonly --manual --dry-run --staging --preferred-challenges=dns -d (My domain name)
It produced this output: aving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)
My web server is (include version): Nginx/1.26.3
The operating system my web server runs on is (include version): AWS
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0
Kind regards, P.
That is unusual error. Would you show outputs of these?
curl -I4 -m5 https://acme-v02.api.letsencrypt.org/directory
curl -I6 -m5 https://acme-v02.api.letsencrypt.org/directory
curl https://cloudflare.com/cdn-cgi/trace
3 Likes
Many thanks for your quick response.
Here is the outputs: sh-5.2$ curl -I4 -m5 https://acme-v02.api.letsencrypt.org/directory
curl: (28) Connection timed out after 5002 milliseconds
sh-5.2$ curl -I6 -m5 https://acme-v02.api.letsencrypt.org/directory
curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443 after 3 ms: Couldn't connect to server
sh-5.2$ curl https://cloudflare.com/cdn-cgi/trace
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to cloudflare.com:443
sh-5.2
The response to the curl for cloudflare is unusual. The 5002ms timeout to acme is because -m5 limited the wait time. That is similar to what you saw with your read timeout in first post.
Something looks wrong with your network config. When setting up your AWS VPC did you follow: AWS Route Table Configuration (link here)
What do these show?
sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
netstat -nr
curl -I https://google.com
curl -I https://aws.amazon.com
You didn't say exactly with O/S you were using so you may need to install a package to get a traceroute that supports those options.
2 Likes
The AWS account setup was done by others. From my end, i can not do any edits at VPC
sh-5.2$ sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 172.65.32.248 (172.65.32.248) 4.061 ms 3.926 ms 3.913 ms
sh-5.2$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.110.142.129 0.0.0.0 UG 0 0 0 enX0
10.110.142.128 0.0.0.0 255.255.255.240 U 0 0 0 enX0
10.110.142.129 0.0.0.0 255.255.255.255 UH 0 0 0 enX0
10.110.142.130 0.0.0.0 255.255.255.255 UH 0 0 0 enX0
sh-5.2$ curl -I https://google.com
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-Mq9rvwwKWMrjhuv8XzFZ2A' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
date: Thu, 20 Mar 2025 15:36:36 GMT
expires: Sat, 19 Apr 2025 15:36:36 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
sh-5.2$ curl -I https://aws.amazon.com
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to aws.amazon.com:443
sh-5.2$ ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
126 packets transmitted, 0 received, 100% packet loss, time 129999ms
Same error you got connecting to cloudflare test endpoint earlier.
I don't know what more I can help with. This is not a problem unique to Let's Encrypt. Why you can reach google I have no idea. But, not being able to reach an AWS endpoint from an AWS based server is a problem.
You are best off consulting with server and / or networking specialists or forums for help.
5 Likes
Spin up a new VM on the same AWS account and try curl against the Let's Encrypt API again. If that works then it's either your VM security group settings or your VM firewall (or other security tools) outgoing traffic block.
1 Like