Unable to renew or create certificate

Hi,
It seems my IP address 194.51.125.129 has been blocked. I can't renew or create certificate.

certbot --nginx -d carto.mairie-saintmartinduriage.fr

produces this error:

Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): xxx@yyy.zz
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(9, '[X509] PEM lib (_ssl.c:4262)')))
Please see the logfiles in /var/log/letsencrypt for more details.

and log file contents :

vmsig@vmsig:~$ tail /var/log/letsencrypt/letsencrypt.log
tail: impossible d'ouvrir '/var/log/letsencrypt/letsencrypt.log' en lecture: Permission non accordée
vmsig@vmsig:~$ sudo tail /var/log/letsencrypt/letsencrypt.log
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(9, '[X509] PEM lib (_ssl.c:4262)')))
2022-05-31 23:59:21,117:ERROR:certbot._internal.log:An unexpected error occurred:
2022-05-31 23:59:21,118:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(9, '[X509] PEM lib (_ssl.c:4262)')))
vmsig@vmsig:~$

TIA for your help

Jean-Marie

I am not totally sure that SSLError 9 is indicative of a blocked IP. What does curl report?

curl -vvv https://acme-v02.api.letsencrypt.org/directory
4 Likes

Blocked IPs will usually have errors like

205.210.31.138 - - [19/Apr/2022 12:56:29] code 400, message Bad HTTP/0.9 request type ('\x16\x03\x01\x00\xca\x01\x00\x00\xc6\x03\x035A\xd3\xcb\xf4\xf7\xf6?\x16I\x14"\xc5?mK%\xf1\xd0\xd6\xca\xf6pa\x1bF\x08\xefH\x8c\xb6\x17\x00\x00h\xcc\x14\xcc\x13\xc0/\xc0+\xc00\xc0,\xc0\x11\xc0\x07\xc0'\xc0#\xc0\x13\xc0')

From the machine having problems, @jmarsac can do:

curl -I https://acme-v02.api.letsencrypt.org/directory

Also

traceroute -I acme-v02.api.letsencrypt.org

A blocked ip will show something like:

curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to acme-v02.api.letsencrypt.org:443

and via traceroute we'll see it get to ISRG's servers then just stop.

@jmarsac How is Certbot installed? What are the versions of Certbot and Python?

4 Likes

vmsig@vmsig:~$ curl -vvv https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248:443...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
  • Closing connection 0
    curl: (77) error setting certificate verify locations: CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
    vmsig@vmsig:~$ ls /etc/ssl/certs/ca-certificates.crt
    /etc/ssl/certs/ca-certificates.crt
    vmsig@vmsig:~$
vmsig@vmsig:~$ sudo curl -I https://acme-v02.api.letsencrypt.org/directory
curl: (77) error setting certificate verify locations:  CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
vmsig@vmsig:~$
vmsig@vmsig:~$ sudo traceroute -I acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
 1  192.168.20.254 (192.168.20.254)  0.505 ms  0.488 ms  0.482 ms
 2  194.51.125.142 (194.51.125.142)  0.376 ms  0.399 ms  0.401 ms
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  172.65.32.248 (172.65.32.248)  7.078 ms  6.980 ms  7.058 ms
vmsig@vmsig:~$

certbot 1.12.0-2 installed from debian 11 (bullseye) repositories

vmsig@vmsig:~$ python --version
-bash: python : commande introuvable
vmsig@vmsig:~$ python3 --version
Python 3.9.2
vmsig@vmsig:~$ python2 --version
-bash: python2 : commande introuvable
vmsig@vmsig:~$ python2.7 --version
Python 2.7.18
vmsig@vmsig:~$
1 Like

Something/someone deleted or corrupted your CA certificate store. You can try recreate it.

apt-get -y reinstall ca-certificates
update-ca-certificates --fresh
5 Likes

Thank you _az.
I already tried these commands without success but I found the issue : an empty record existed in ca-certificates.crt

----- BEGIN CERTIFICATE -----

----- END CERTIFICATE -----

I removed these lines and curl issue was solved.

But I get a new error when creating certificate :

vmsig@vmsig:~$ sudo certbot --nginx -d carto.mairie-saintmartinduriage.fr
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for carto.mairie-saintmartinduriage.fr
Performing the following challenges:
http-01 challenge for carto.mairie-saintmartinduriage.fr
Waiting for verification...
Challenge failed for domain carto.mairie-saintmartinduriage.fr
http-01 challenge for carto.mairie-saintmartinduriage.fr
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: carto.mairie-saintmartinduriage.fr
   Type:   connection
   Detail: 194.51.125.129: Fetching
   http://carto.mairie-saintmartinduriage.fr/.well-known/acme-challenge/of6OP6E5iA2_MLadNdxDhJJ2Fvev0phkKNGENpSTyEw:
   Server is speaking HTTP/2 over HTTP

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

IP address routing seems to be ok

jma@ns98:~$ sudo traceroute --tcp carto.mairie-saintmartinduriage.fr
traceroute to carto.mairie-saintmartinduriage.fr (194.51.125.129), 30 hops max, 60 byte packets
 1  pdc1-2-m2.fr.eu (213.251.156.222)  0.462 ms  0.426 ms  0.475 ms
 2  10.72.17.67 (10.72.17.67)  0.704 ms  0.720 ms  0.861 ms
 3  10.73.48.24 (10.73.48.24)  0.204 ms 10.73.48.22 (10.73.48.22)  0.199 ms 10.73.48.24 (10.73.48.24)  0.166 ms
 4  10.73.48.1 (10.73.48.1)  0.961 ms  0.931 ms  1.018 ms
 5  be104.par-th2-sbb1-nc5.fr.eu (91.121.215.132)  1.094 ms be104.par-gsw-sbb1-nc5.fr.eu (91.121.131.208)  1.170 ms  1.108 ms
 6  10.200.2.85 (10.200.2.85)  0.655 ms 10.200.2.69 (10.200.2.69)  1.108 ms 10.200.2.73 (10.200.2.73)  1.035 ms
 7  * 54.36.50.217 (54.36.50.217)  1.355 ms  1.324 ms
 8  193.251.132.76 (193.251.132.76)  0.900 ms 193.251.242.100 (193.251.242.100)  1.197 ms ae0-0.nilyo202.rbci.orange.net (81.253.184.101)  7.984 ms
 9  * 193.251.129.110 (193.251.129.110)  1.036 ms  0.977 ms
10  ae0-0.nilyo202.rbci.orange.net (81.253.184.101)  7.915 ms * *
11  ae43-0.nclyo202.rbci.orange.net (193.252.101.150)  6.790 ms 81.253.183.6 (81.253.183.6)  6.625 ms ae43-0.nclyo202.rbci.orange.net (193.252.101.150)  6.693 ms
12  * * *
13  81.253.183.6 (81.253.183.6)  6.536 ms *  6.618 ms
14  213.56.184.4 (213.56.184.4)  8.923 ms * *
15  * * *
16  serveur.malet-roquefort.com (194.51.125.129)  9.492 ms  9.047 ms 213.56.184.4 (213.56.184.4)  8.949 ms
jma@ns98:~$ sudo traceroute --icmp carto.mairie-saintmartinduriage.fr
traceroute to carto.mairie-saintmartinduriage.fr (194.51.125.129), 30 hops max, 60 byte packets
 1  pdc1-2-m2.fr.eu (213.251.156.222)  0.381 ms  0.462 ms  0.502 ms
 2  10.72.17.67 (10.72.17.67)  0.705 ms  0.829 ms  0.950 ms
 3  10.73.48.22 (10.73.48.22)  0.213 ms  0.237 ms  0.229 ms
 4  10.73.48.1 (10.73.48.1)  1.133 ms  1.124 ms  1.112 ms
 5  be104.par-th2-sbb1-nc5.fr.eu (91.121.215.132)  1.176 ms  1.181 ms  1.221 ms
 6  10.200.2.73 (10.200.2.73)  69.947 ms  69.773 ms  69.858 ms
 7  * * *
 8  ae0-0.nilyo202.rbci.orange.net (81.253.184.101)  7.969 ms  7.959 ms  7.952 ms
 9  ae43-0.nclyo202.rbci.orange.net (193.252.101.150)  6.472 ms  6.464 ms  6.456 ms
10  lag-1.nmlyo206.rbci.orange.net (193.253.85.217)  6.296 ms  6.291 ms  6.439 ms
11  81.253.183.6 (81.253.183.6)  6.411 ms  6.380 ms  6.357 ms
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
jma@ns98:~$

1 Like

Review the server config for domain "carto.mairie-saintmartinduriage.fr".

See:

5 Likes

I had a useless "listen 80 http2;" statement in another server cfg file which provided this issue.

It's solved now :slight_smile:

Thanks a lot to all for your help !

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.