Unable to renew ... bad handshake? [solved]

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
I am contractually unable to disclose.

I ran this command:
sudo certbot-auto renew

It produced this output:
WARNING: unable to check for updates.
Saving debug log to /var/log/letsencrypt/letsencrypt.log


(successfully and properly checks domains and determines not up for renewal yet)


Processing /etc/letsencrypt/renewal/domain.org.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator webroot, Installer None
Attempting to renew cert (domain.org) from /etc/letsencrypt/renewal/domain.org.conf produced an unexpected error: bad handshake: Error([(‘SSL routines’, ‘ssl3_read_bytes’, ‘tlsv1 alert internal error’)],). Skipping.

My web server is (include version):
Nginx 1.4.6
The operating system my web server runs on is (include version):
Ubuntu Linux 14.04.3
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes.
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

I have just checked the certbot version number: 0.18.2. I suspect that I need to update certbot.

Yes and no. Certbot 0.18.2 shouldn't have stopped working. The fact that certbot-auto hasn't automatically updated itself since last year is more of a symptom of whatever is wrong than the cause.

Do you have a firewall or something breaking outbound HTTPS connections?

Can you use curl or wget to access:

(It would be more accurate, but also more complicated, to check with the same Python that Certbot uses, but using another tool can still expose some issues.)

If you temporarily rename /opt/eff.org/certbot/, certbot-auto will try to reinstall itself. Does it succeed, or fail with the same or a different error? If you download a new copy of https://dl.eff.org/certbot-auto, does that work?

You could take this opportunity to move from certbot-auto to the Certbot PPA, but if nothing's working, that won't help.

Thanks @mnordhoff for the reply.

I strongly suspect that my port 53 is blocked - don’t ask, but everything points in that direction. I have added the Ubuntu repositories in /etc/hosts as a temporary fix. Let me try some of your suggestions … I have already tried adding the PPA, but that failed - see that topic.

Urgh... That's not good.

You can add things to /etc/hosts until Certbot works, but it can contact half a dozen hostnames, half of which use CDNs and have totally unstable IPs. It won't work for long.

Oops, I replied to that without noticing you posted it. :flushed:

accounting@ian:~$ curl https://acme-v01.api.letsencrypt.org
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Once I add pypi.org’s IP to /etc/hosts it works fine.

What is the hostname/IP that certbot-auto would attempt to connect to for the update? Perhaps adding that info to /etc/hosts is the temp fix I need.

I can't explain that. Maybe there's a proxy, or curl is broken, or the IP address in /etc/hosts has already changed and the old one no longer works.

Which type of update? For Let's Encrypt, currently mainly https://acme-v01.api.letsencrypt.org/ (or sometimes one of the staging endpoints, or (in newer versions, if you tell it to) sometimes the ACME v2 endpoint).

(And the certificates command will contact the OCSP server(s).)

For Certbot's own software updates, my other post lists most of them, but probably left out one or two. Maybe https://files.pythonhosted.org/. I can only suggest trying to monitor it.

Well, I have added the ones you mentioned and things work MUCH better, but the update still fails as githubusercontent.com uses a CNAME record which causes certbot update to fail.

Thanks again for the help! Hopefully my tech can be reached before this cert expires and he will have a much better clue than this pencil pusher does! :slight_smile:

Ok @mnordhoff I have managed to successfully issue the renewal certificate. Thanks for your help!!!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.