Hello, we got a problem, that our renew isnt working. Maybe the ip is blocked? i have to manually activate a firewall policy, for the connection from letsencrypt to our server. But in the client log i can see, that minimum since yesterday the certbot tried to renew automatically, but without the firewall policy only from us to letsencrypt ist working and not the other way.
Today the cert runs out and i activated the fw policy to renew and i get the "unexpected eof" error.
Can you help me with that?
My domain is:
I ran this command:
sudo certbot renew
It produced this output:
Attempting to renew cert (vrnw-jira.de) from /etc/letsencrypt/renewal/vrnw-jira.de.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')"))). Skipping.
All renewal attempts failed. The following certs could not be renewed:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
This looks like Let's Encrypt's DoS blocking.
Is the IP sending the request recently acquired by you? If not, you should double-check that there isn't anything unkind running on the server, as generally blocks like this only happen if they're attacking Let's Encrypt's infrastructure.
@lestaff, can you look and see if this IP is being blocked?
@Simon89, you may need to post the IP that's trying to make the request.
Thanks for the fast reply.
The IP is: 22.214.171.124
While we wait for that, please show this file to better understand how you would be renewing:
renew_before_expiry = 30 days
version = 0.40.0
archive_dir = /etc/letsencrypt/archive/vrnw-jira.de
cert = /etc/letsencrypt/live/vrnw-jira.de/cert.pem
privkey = /etc/letsencrypt/live/vrnw-jira.de/privkey.pem
chain = /etc/letsencrypt/live/vrnw-jira.de/chain.pem
fullchain = /etc/letsencrypt/live/vrnw-jira.de/fullchain.pem
Options used in the renewal process
installer = apache
account = its a 32 character long string, i think thats not good to write it down here
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = apache
Well then you have more than one problem...
[after the IP issue is addressed]
It seems that your site is now blocking HTTP (TCP port 80):
See: Let's Debug (letsdebug.net)
Which will be required to validate the challenge requests via
Have you made any significant IP/firewall changes since the last renewal (on May 25th)?:
crt.sh | vrnw-jira.de
Once the IP problem has been cleared, please use the
staging environment while you test.
HTTP 80 is okay Let's Debug
i am sorry, but while there are no actions like renew a cert, the inbound fw policy is deactivated, thats why your debug runs into that error. So maybe its only the IP problem and if @lestaff was looking for it and unblock it, it will work again?
We are not currently blocking that IP address, so further troubleshooting will be needed if you're still unable to reach the API.
can you check 126.96.36.199, that's the Internet IP.
188.8.131.52 is how you reach vrnw-jira.de from outsight our Network.
That is also not blocked.
OK, so let's see what this shows us:
openssl s_client -connect acme-v02.api.letsencrypt.org:443
curl -I4 https://acme-v02.api.letsencrypt.org/directory
curl -I6 https://acme-v02.api.letsencrypt.org/directory
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.