Timeout for new certificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:mydkms.dkms.de

I ran this command: sudo certbot certonly --dry-run --standalone -d mydkms.dkms.de --non-interactive --agree-tos --email ith@dkms.de --http-01-port=8888 --preferred-challenges=http -v

It produced this output:

My web server is (include version): An unexpected error occurred:
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f87ee4c2940>, 'Connection to acme-staging-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[root@frasrhap01 ~]# ^C
[root@frasrhap01 ~]# cat /var/log/letsencrypt/letsencrypt.log
2022-01-12 08:19:14,286:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2022-01-12 08:19:14,536:DEBUG:certbot._internal.main:certbot version: 1.22.0
2022-01-12 08:19:14,537:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1670/bin/certbot
2022-01-12 08:19:14,537:DEBUG:certbot._internal.main:Arguments: ['--dry-run', '--standalone', '-d', 'mydkms.dkms.de', '--non-interactive', '--agree-tos', '--email', 'ith@dkms.de', '--http-01-port=8888', '--preferred-challenges=http', '-v', '--preconfigured-renewal']
2022-01-12 08:19:14,537:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-01-12 08:19:14,555:DEBUG:certbot._internal.log:Root logging level set at 20
2022-01-12 08:19:14,556:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2022-01-12 08:19:14,558:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: Authenticator, Plugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7f87ee4d1af0>
Prep: True
2022-01-12 08:19:14,558:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x7f87ee4d1af0> and installer None
2022-01-12 08:19:14,558:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2022-01-12 08:19:14,563:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-staging-v02.api.letsencrypt.org/acme/acct/18124766', new_authzr_uri=None, terms_of_service=None), 8d2a55af113563ba652c3d6adaf21a0f, Meta(creation_dt=datetime.datetime(2021, 2, 16, 15, 45, 4, tzinfo=), creation_host='frasrhap01', register_to_eff=None))>
2022-01-12 08:19:14,563:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2022-01-12 08:19:14,564:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2022-01-12 08:19:59,568:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/urllib3/connection.py", line 174, in _new_conn
conn = connection.create_connection(
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/urllib3/util/connection.py", line 96, in create_connection
raise err
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/urllib3/util/connection.py", line 86, in create_connection
sock.connect(sa)
socket.timeout: timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/urllib3/connection.py", line 358, in connect
conn = self._new_conn()
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/urllib3/connection.py", line 179, in _new_conn
raise ConnectTimeoutError(
urllib3.exceptions.ConnectTimeoutError: (<urllib3.connection.HTTPSConnection object at 0x7f87ee4c2940>, 'Connection to acme-staging-v02.api.letsencrypt.org timed out. (connect timeout=45)')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f87ee4c2940>, 'Connection to acme-staging-v02.api.letsencrypt.org timed out. (connect timeout=45)'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/snap/certbot/1670/bin/certbot", line 8, in
sys.exit(main())
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/certbot/_internal/main.py", line 1632, in main
return config.func(config, plugins)
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/certbot/_internal/main.py", line 1473, in certonly
le_client = _init_le_client(config, auth, installer)
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/certbot/_internal/main.py", line 793, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/certbot/_internal/client.py", line 294, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/certbot/_internal/client.py", line 59, in acme_from_config_key
client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/acme/client.py", line 875, in init
directory = messages.Directory.from_json(net.get(server).json())
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/acme/client.py", line 1236, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/acme/client.py", line 1174, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/var/lib/snapd/snap/certbot/1670/lib/python3.8/site-packages/requests/adapters.py", line 504, in send
raise ConnectTimeout(e, request=request)
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f87ee4c2940>, 'Connection to acme-staging-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
2022-01-12 08:19:59,570:ERROR:certbot._internal.log:An unexpected error occurred:
2022-01-12 08:19:59,570:ERROR:certbot._internal.log:requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f87ee4c2940>, 'Connection to acme-staging-v02.api.letsencrypt.org timed out. (connect timeout=45)'))

The operating system my web server runs on is (include version): Centos 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.22.0

1 Like

Welcome to the community @Srudel

Your system could not connect to the Let's Encrypt test server. That is unusual as I can see your server and that it is using a wildcard cert from Sectigo which expires next month. Do you have a firewall that is blocking outbound connections?

Can you show the results of these commands:

curl -I https://acme-staging-v02.api.letsencrypt.org/directory
curl -4 https://ifconfig.co
curl -6 https://ifconfig.co

Also, if you still need a wildcard cert you will need to use the DNS challenge method. You are testing the standalone method and an http challenge which cannot get a wildcard cert.

2 Likes

curl -I https://acme-staging-v02.api.letsencrypt.org/directory
HTTP/1.1 200 Connection established
Proxy-Agent: Fortinet-Proxy/1.0

HTTP/2 200
server: nginx
date: Wed, 12 Jan 2022 15:38:57 GMT
content-type: application/json
content-length: 822
cache-control: public, max-age=0, no-cache
replay-nonce: 0002hRuDyNY71wzrU1fA_GWLS8QWgMnEALYqpaJFW8B86C4
x-frame-options: DENY
strict-transport-security: max-age=604800

curl -4 https://ifconfig.co
217.110.157.4

curl -6 https://ifconfig.co
217.110.157.4

In this attempt, I want to make the standalone cert for only one page. The wildcard is created differently

2 Likes

Ok, thanks. Can you re-try Certbot? The Curl test was able to see the Let's Encrypt test server. Maybe it was just a temp error?

2 Likes

Already tried. Unfortunately, the error still persists and runs into a timeout :frowning:

1 Like

I just noticed Fortinet is a proxy for your outbound Curl. Can you try this:

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 -servername acme-v02.api.letsencrypt.org | head
2 Likes

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 -servername acme-v02.api.letsencrypt.org | head

140555049858880:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110:
140555049858880:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:

2 Likes

I do not have any further suggestions. Maybe another volunteer will know something.

What is clear is your system cannot consistently make outbound connections. I do not understand why Curl worked but we have seen Certbot (python/urllib3) fail and now openssl fails.

It seems a network config problem in your server or fortinet firewall.

3 Likes

I've got the same problem. Seem to bee http not propperly redirecting to https …

Without https:

wget acme-v02.api.letsencrypt.org
--2022-01-12 19:35:44-- http://acme-v02.api.letsencrypt.org/
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|172.65.32.248|:80... connected.
HTTP request sent, awaiting response... Read error (Connection reset by peer) in headers.
Retrying.

With https:

wget https://acme-v02.api.letsencrypt.org
--2022-01-12 19:39:41-- https://acme-v02.api.letsencrypt.org/
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|172.65.32.248|:443... connected.
HTTP request sent, awaiting response... 200 OK
1 Like

Not the same. Those endpoints only support HTTPS. They will fail with HTTP as designed.

2 Likes

I agree.
Check with the Proxy/Firewall staff.
Their logs should show more on why this is failing.

3 Likes