处理LetsEncrypt证书签发错误acme-v02.api.letsencrypt.org timeout

余歌者
2023-12-01

现象

LetsEncrypt证书过期后,使用certbot签发证书报错:

[root@my-aliyun-server bin]# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ReadTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

从服务器ping acme-v02.api.letsencrypt.org 是通的

[root@my-aliyun-server bin]# ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=48 time=178 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=48 time=178 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=3 ttl=48 time=178 ms

从服务器curl https地址,访问非常不稳定,SSL连接经常失败,偶尔成功。
从其它服务器curl是可以正常访问的。

[root@my-aliyun-server bin]# curl -v https://acme-v02.api.letsencrypt.org/directory
* About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
*   Trying 172.65.32.248...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none

解决方案

证书签发出问题的服务器在阿里云北京,从阿里云北京等其它服务器可以正常访问 https://acme-v02.api.letsencrypt.org,推测有关部门阻断了这台服务器IP和特定境外IP的通信。
于是更换服务器的公网IP地址,问题解决。

参考资料
https://community.letsencrypt.org/t/httpsconnectionpool-host-acme-v02-api-letsencrypt-org-port-443-read-timed-out/115221

 类似资料: