My domain is: 2x4.dk
I ran this command: certbot certonly --webroot --webroot-path /var/www/2x4.dk/ -d 2x4.dk -d lists.2x4.dk
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
cnx.do_handshake()
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1174, in _raise_ssl_error
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 323, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 324, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 624, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)
During handling of the above exception, another exception occurred:
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)
Please see the logfiles in /var/log/letsencrypt for more details.
My web server is (include version): nginx 1.10.3-1+deb9u2
The operating system my web server runs on is (include version): Debian Stretch 9.8
My hosting provider, if applicable, is: (It’s a VPS hosted by bytemark.co.uk)
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot): certbot 0.28.0
The logfile shows (much the same as the output, but for completeness):
2019-03-08 13:40:21,752:DEBUG:certbot.main:certbot version: 0.28.0
2019-03-08 13:40:21,753:DEBUG:certbot.main:Arguments: ['--webroot', '--webroot-path', '/var/www/2x4.dk/', '-d', '2x4.dk', '-d', 'lists.2x4.dk']
2019-03-08 13:40:21,754:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-03-08 13:40:21,783:DEBUG:certbot.log:Root logging level set at 20
2019-03-08 13:40:21,784:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-03-08 13:40:21,785:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-03-08 13:40:21,786:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f205d332f60>
Prep: True
2019-03-08 13:40:21,787:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f205d332f60> and installer None
2019-03-08 13:40:21,787:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2019-03-08 13:40:21,792:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', terms_of_service_agreed=None, contact=('mailto:sslug@3001.dk',), only_return_existing=None, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f205abc8668>)>), status=None), uri='https://acme-v01.api.letsencrypt.org/acme/reg/42110329', new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 9aeeb33bc0fec8b85c45b04617b543c0, Meta(creation_host='teresa.default.grove.uk0.bigv.io', creation_dt=datetime.datetime(2018, 9, 14, 14, 37, 6, tzinfo=<UTC>)))>
2019-03-08 13:40:21,795:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-03-08 13:40:21,802:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-03-08 13:41:06,878:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
cnx.do_handshake()
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1174, in _raise_ssl_error
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 323, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 324, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 624, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1209, in certonly
le_client = _init_le_client(config, auth, installer)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 611, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 248, in __init__
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 51, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/usr/lib/python3/dist-packages/acme/client.py", line 763, in __init__
directory = messages.Directory.from_json(net.get(server).json())
File "/usr/lib/python3/dist-packages/acme/client.py", line 1097, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3/dist-packages/acme/client.py", line 1046, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)
2019-03-08 13:41:06,882:ERROR:certbot.log:An unexpected error occurred:
I have a certificate from Let’s Encrypt for this domain, and have used certbot from the server to get that. Now that I need to create a new cert for the domain (the old one was made with --manual, so I suppose certbot renew
wouldn’t work), certbot doesn’t work anymore. The version of certbot is the one that is available in backports for Debian Stretch.
I normally run with very tight firewall rules on the server, also limiting outgoing traffic, to allow certbot to work I had previously defined:
23.36.209.29 acme-v01.api.letsencrypt.org
2a02:26f0:137:187::3a8e acme-v01.api.letsencrypt.org
23.36.209.29 acme-v02.api.letsencrypt.org
2a02:26f0:137:187::3a8e acme-v02.api.letsencrypt.org
in my /etc/hosts
, and allowed traffic to tcp ports 80 and 443 on those ips, as the log also mentions https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
, I added
104.82.195.94 letsencrypt.org
2a02:26f0:a00:286::ce0 letsencrypt.org
2a02:26f0:a00:285::ce0 letsencrypt.org
and added those ips to the firewall rules, that didn’t change anything. I also tried allowing traffic to tcp port 443 anywhere, that didn’t change anything either.