Unable to generate certificates for new domain


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cbenson.co.uk

I ran this command: certbot --nginx -d cbenson.co.uk -d www.cbenson.co.uk

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cbenson.co.uk
http-01 challenge for www.cbenson.co.uk
Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 387, in _make_request
six.raise_from(e, None)
File “”, line 3, in raise_from
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 383, in _make_request
httplib_response = conn.getresponse()
File “/usr/lib/python3.6/http/client.py”, line 1331, in getresponse
response.begin()
File “/usr/lib/python3.6/http/client.py”, line 297, in begin
version, status, reason = self._read_status()
File “/usr/lib/python3.6/http/client.py”, line 258, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), “iso-8859-1”)
File “/usr/lib/python3.6/socket.py”, line 586, in readinto
return self._sock.recv_into(b)
File “/usr/lib/python3.6/ssl.py”, line 1012, in recv_into
return self.read(nbytes, buffer)
File “/usr/lib/python3.6/ssl.py”, line 874, in read
return self._sslobj.read(len, buffer)
File “/usr/lib/python3.6/ssl.py”, line 631, in read
v = self._sslobj.read(len, buffer)
socket.timeout: The read operation timed out

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 440, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File “/usr/lib/python3/dist-packages/urllib3/util/retry.py”, line 357, in increment
raise six.reraise(type(error), error, _stacktrace)
File “/usr/lib/python3/dist-packages/six.py”, line 693, in reraise
raise value
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 601, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 389, in _make_request
self._raise_timeout(err=e, url=url, timeout_value=read_timeout)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 309, in _raise_timeout
raise ReadTimeoutError(self, url, “Read timed out. (read timeout=%s)” % timeout_value)
urllib3.exceptions.ReadTimeoutError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)

During handling of the above exception, another exception occurred:

requests.exceptions.ReadTimeout: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): nginx 1.14.0

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hi,

I am unable to create certificates for my website, can anyone offer any help please. Let me know if any more information is required.

Thanks


#2
curl -4 -X GET -I -m 10 https://acme-v02.api.letsencrypt.org/directory
curl -6 -X GET -I -m 10 https://acme-v02.api.letsencrypt.org/directory

#3

curl -4 -X GET -I -m 10 https://acme-v02.api.letsencrypt.org/directory

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 15 Jan 2019 09:06:11 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 15 Jan 2019 09:06:11 GMT
Connection: keep-alive

curl -6 -X GET -I -m 10 https://acme-v02.api.letsencrypt.org/directory

curl: (7) Couldn’t connect to server


#4

Does the problem happen reliably/every time when using Certbot?

Does this time out?

head -c 35000 /dev/urandom | base64 | curl -d @- -i -X POST -m 10 -H 'Expect:' https://acme-v02.api.letsencrypt.org/acme/new-order

Does temporarily adding the following to /etc/hosts help?

104.70.60.61    acme-v02.api.letsencrypt.org

#5

Yes the same thing happens every time I try it.

The command times out with the below message:
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received

Added that to the hosts file but still get the same timeout message when running certbot…

Thanks for your help, I’m out of ideas with this one.


#6

Well, at least that’s something. If you change the 35000 to 350 in the command, does it still time out?

Sounds to me like it might be an MTU issue but not sure yet.


#7

OK! if I change it to 350 i get:

HTTP/1.1 415 Unsupported Media Type
Server: nginx
Content-Type: application/problem+json
Content-Length: 168
Replay-Nonce: 3htw5-oUGhS3tub0EEilYUjDyyLoBkWQchevx1jA7VU
Expires: Tue, 15 Jan 2019 09:47:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 15 Jan 2019 09:47:30 GMT
Connection: close

{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Invalid Content-Type header on POST. Content-Type must be “application/jose+json””,
“status”: 415


#8

Great (you can ignore the contents of the error).

This confirms that the problem is that the Let’s Encrypt API server times out when you send it a large payload. For example, when updating challenges for your domains.

Usually when I see people with this issue, the /etc/hosts thing does help. I’m surprised it didn’t help you. Maybe try also with IP 104.99.241.117.

Apart from that, I would try lowering your server network interface’s MTU to something smaller. For example:

ifconfig eth0 mtu 1300

This is a “network problem” but I’m not sure about its exact nature.


#9

Brilliant, lowering the mtu to 1300 has resolved the issue!

Thanks!


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.