Unable to generate certificate on new vps

I believe my newly purchased VPS may have it's IP blacklisted as I've read about on this forum while researching my issue. It is also possible that I have made an error somewhere and am unaware, nevertheless..

My domain is:
panel.l3e.org IP:135.148.33.112

I ran this command:
sudo certbot certonly --nginx -d panel.l3e.org

It produced this output:

An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 485, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1915, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1640, in _raise_ssl_error
    raise SysCallError(-1, "Unexpected EOF")
OpenSSL.SSL.SysCallError: (-1, 'Unexpected EOF')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 366, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 491, in wrap_socket
    raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')")))

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')")))

My web server is (include version):
nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04

My hosting provider, if applicable, is:
OVH US

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

1 Like

Hi @quantum001 and welcome to the LE community forum :slight_smile:

I'm not so sure your IP is the problem.
I'm thinking You might have installed certbot via pip (or some other reason why) - urllib3 is failing.

Try:
wget --delete-after https://acme-v02.api.letsencrypt.org/directory
curl -I https://acme-v02.api.letsencrypt.org/directory

If either works, then it's not your IP.
If both work, it definitely something in the python packaging...

The quickest possible fix may be to switch from --nginx (authentication) to using --webroot.
The second might be uninstalling certbot 0.40.0 and installing the snap version of certbot.
Another more random solution would be to switch ACME client (to like: acme.sh).

Let us know if you have any trouble along whichever way you choose to go.

3 Likes

@rg305 Hello, thank you for your response.

I installed certbot via aptitude. I have just tried both commands and I believe they are both failing. Here is their output:

 wget --delete-after https://acme-v02.api.letsencrypt.org/directory
--2021-10-17 04:01:58--  https://acme-v02.api.letsencrypt.org/directory
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|172.65.32.248|:443... connected.
Unable to establish SSL connection.

 curl -I https://acme-v02.api.letsencrypt.org/directory
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

Should I now try changing the install method for certbot?

1 Like

@rg305 I have now uninstalled certbot through aptitude and installed the snap package and it would appear as though I am receiving a similar error. The command I ran was

sudo certbot certonly --nginx -d panel.l3e.org

An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:1131)')))
1 Like

Well... maybe you were right about your IP being blocked after all.
@lestaff please check the IP:

4 Likes

His domain goes right to a log-in page. I don't think certbot is able to reach any challenge directory.
Fatal: All checks of /.well-known/acme-challenge/random-filename have a redirect, destination doesn't have the random filename.

5 Likes

That may be a secondary problem.
https://acme-v02.api.letsencrypt.org/directory can't be reached.

2 Likes

That was it. Sorry about the trouble - we've now unblocked that IP address.

8 Likes

@JamesLE @rg305 @JimPas thank you all for your help with my issue! I was able to successfully generate my certificate this morning. I really appreciate everyone's assistance in this matter.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.