Hello, we got a problem, that our renew isnt working. Maybe the ip is blocked? i have to manually activate a firewall policy, for the connection from letsencrypt to our server. But in the client log i can see, that minimum since yesterday the certbot tried to renew automatically, but without the firewall policy only from us to letsencrypt ist working and not the other way.
Today the cert runs out and i activated the fw policy to renew and i get the "unexpected eof" error.
Can you help me with that?
My domain is:
vrnw-jira.de

I ran this command:
sudo certbot renew

It produced this output:
Attempting to renew cert (vrnw-jira.de) from /etc/letsencrypt/renewal/vrnw-jira.de.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')"))). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/vrnw-jira.de/fullchain.pem (failure)

My web server is (include version):
apache/2.4.41

The operating system my web server runs on is (include version):
ubuntu 20.04.3

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
0.40.0

This looks like Let's Encrypt's DoS blocking.

Is the IP sending the request recently acquired by you? If not, you should double-check that there isn't anything unkind running on the server, as generally blocks like this only happen if they're attacking Let's Encrypt's infrastructure.

@lestaff, can you look and see if this IP is being blocked?

@Simon89, you may need to post the IP that's trying to make the request.

Thanks for the fast reply.
The IP is: 78.94.10.226

While we wait for that, please show this file to better understand how you would be renewing:

renew_before_expiry = 30 days

version = 0.40.0
archive_dir = /etc/letsencrypt/archive/vrnw-jira.de
cert = /etc/letsencrypt/live/vrnw-jira.de/cert.pem
privkey = /etc/letsencrypt/live/vrnw-jira.de/privkey.pem
chain = /etc/letsencrypt/live/vrnw-jira.de/chain.pem
fullchain = /etc/letsencrypt/live/vrnw-jira.de/fullchain.pem

Options used in the renewal process

[renewalparams]
installer = apache
account = its a 32 character long string, i think thats not good to write it down here
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = apache

Well then you have more than one problem...
[after the IP issue is addressed]
It seems that your site is now blocking HTTP (TCP port 80):
See: Let's Debug (letsdebug.net)
Which will be required to validate the challenge requests via --apache.
Have you made any significant IP/firewall changes since the last renewal (on May 25th)?:
crt.sh | vrnw-jira.de

Once the IP problem has been cleared, please use the staging environment while you test.

Hello rg305,
HTTP 80 is okay Let's Debug
i am sorry, but while there are no actions like renew a cert, the inbound fw policy is deactivated, thats why your debug runs into that error. So maybe its only the IP problem and if @lestaff was looking for it and unblock it, it will work again?

We are not currently blocking that IP address, so further troubleshooting will be needed if you're still unable to reach the API.

Hello @JamesLE,
can you check 78.94.10.225, that's the Internet IP.
78.94.10.226 is how you reach vrnw-jira.de from outsight our Network.

That is also not blocked.

OK, so let's see what this shows us:
openssl s_client -connect acme-v02.api.letsencrypt.org:443
curl -I4 https://acme-v02.api.letsencrypt.org/directory
curl -I6 https://acme-v02.api.letsencrypt.org/directory

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.