Unexpected error from certbot

My domain is: 2x4.dk

I ran this command: certbot certonly --webroot --webroot-path /var/www/2x4.dk/ -d 2x4.dk -d lists.2x4.dk

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1174, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
    self._validate_conn(conn) 
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 323, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 324, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 624, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): nginx 1.10.3-1+deb9u2

The operating system my web server runs on is (include version): Debian Stretch 9.8

My hosting provider, if applicable, is: (It’s a VPS hosted by bytemark.co.uk)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0

The logfile shows (much the same as the output, but for completeness):

2019-03-08 13:40:21,752:DEBUG:certbot.main:certbot version: 0.28.0
2019-03-08 13:40:21,753:DEBUG:certbot.main:Arguments: ['--webroot', '--webroot-path', '/var/www/2x4.dk/', '-d', '2x4.dk', '-d', 'lists.2x4.dk']
2019-03-08 13:40:21,754:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-03-08 13:40:21,783:DEBUG:certbot.log:Root logging level set at 20
2019-03-08 13:40:21,784:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-03-08 13:40:21,785:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-03-08 13:40:21,786:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f205d332f60>
Prep: True
2019-03-08 13:40:21,787:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f205d332f60> and installer None
2019-03-08 13:40:21,787:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2019-03-08 13:40:21,792:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', terms_of_service_agreed=None, contact=('mailto:sslug@3001.dk',), only_return_existing=None, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f205abc8668>)>), status=None), uri='https://acme-v01.api.letsencrypt.org/acme/reg/42110329', new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 9aeeb33bc0fec8b85c45b04617b543c0, Meta(creation_host='teresa.default.grove.uk0.bigv.io', creation_dt=datetime.datetime(2018, 9, 14, 14, 37, 6, tzinfo=<UTC>)))>
2019-03-08 13:40:21,795:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-03-08 13:40:21,802:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-03-08 13:41:06,878:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1174, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 323, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 324, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 624, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.28.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1340, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1209, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 611, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 248, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 51, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 763, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1097, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1046, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert internal error')],)",)
2019-03-08 13:41:06,882:ERROR:certbot.log:An unexpected error occurred:

I have a certificate from Let’s Encrypt for this domain, and have used certbot from the server to get that. Now that I need to create a new cert for the domain (the old one was made with --manual, so I suppose certbot renew wouldn’t work), certbot doesn’t work anymore. The version of certbot is the one that is available in backports for Debian Stretch.
I normally run with very tight firewall rules on the server, also limiting outgoing traffic, to allow certbot to work I had previously defined:

23.36.209.29 acme-v01.api.letsencrypt.org
2a02:26f0:137:187::3a8e acme-v01.api.letsencrypt.org
23.36.209.29 acme-v02.api.letsencrypt.org
2a02:26f0:137:187::3a8e acme-v02.api.letsencrypt.org

in my /etc/hosts, and allowed traffic to tcp ports 80 and 443 on those ips, as the log also mentions https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf, I added

104.82.195.94 letsencrypt.org
2a02:26f0:a00:286::ce0 letsencrypt.org
2a02:26f0:a00:285::ce0 letsencrypt.org

and added those ips to the firewall rules, that didn’t change anything. I also tried allowing traffic to tcp port 443 anywhere, that didn’t change anything either.

I had a typo in the firewall rules for IPv6 for tcp port 443 (there was an error in a single digit in the IPv6 of my own server). When I fixed that certbot started working.

I wonder why this worked the last time I needed to issue LE certs.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.