• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Intermittent cURL error 6 citing Let's Encrypt / Mozilla ciphers, server restart does not resolve

P

pleskuser67553

Basic Pleskian
Hello all,

I'm experiencing intermittent cURL errors, almost exclusively when Let's Encrypt tries to auto-renew a domain. This is one daily example by email:

Code: 
Could not obtain directory: cURL error 6: Could not resolve host: acme-v02.api.letsencrypt.org; Unknown error (see https://curl.haxx.se/libcurl/c/libcurl-errors.html)

In Plesk UI when attempting to manually renew in SSL It! I saw a cURL error 6 about TLS versions and ciphers by Mozilla, too.

No amount of server restarts, as suggested in this support article, will cure it.

Instead, I must either wait for the auto-renew to work one day, sometimes it just does, or I can go into SSL It! and manually renew, but, like just now, it fails with cURL error 6 before it renews normally.

I note that cURL on my system is not up to date:

Code: 
# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

Latest stable version is 7.75.0, released on 3rd of February 2021. Does Plesk update cURL or must I do it manually?

Plesk Obsidian, Version 18.0.33, on CentOS Linux 7.9 with SSL It! v1.7.7. I have several servers with the same setup and it appears to only happen on one. cURL is at v7.29 on all of them.

Thanks in advance for any help you can give.
 
Does your server can resolve host "acme-v02.api.letsencrypt.org"?
Please to check it using "nslookup acme-v02.api.letsencrypt.org" or "ping acme-v02.api.letsencrypt.org".
 
@vovchinnikov Good point, thanks.

This is weird, ping works but nslookup doesn't, or sort of doesn't...

Code: 
[root@server1 ~]# nslookup acme-v02.api.letsencrypt.org
;; Got SERVFAIL reply from 127.0.0.1, trying next server
;; Got SERVFAIL reply from 127.0.0.1, trying next server
Server:         ::1
Address:        ::1#53

** server can't find acme-v02.api.letsencrypt.org.example.com: SERVFAIL

[root@server1 ~]# ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=59 time=4.95 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=59 time=5.64 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=3 ttl=59 time=6.26 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=4 ttl=59 time=5.48 ms
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 4569ms
rtt min/avg/max/mdev = 4.955/5.585/6.265/0.476 ms
[root@server1 ~]# nslookup acme-v02.api.letsencrypt.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org    canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org        canonical name = ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name:   ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248
Name:   ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 2606:4700:60:0:f53d:5624:85c7:3a2c

[root@server1 ~]# ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=59 time=4.90 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=59 time=5.27 ms
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 4.906/5.088/5.271/0.195 ms

In this output I've substituted my Plesk server domain with 'example.com'.

Here's another of my servers with what I believe is the same config.

Code: 
[root@server2 ~]# nslookup acme-v02.api.letsencrypt.org
Server:         212.227.123.16
Address:        212.227.123.16#53

Non-authoritative answer:
acme-v02.api.letsencrypt.org    canonical name = prod.api.letsencrypt.org.
prod.api.letsencrypt.org        canonical name = ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
Name:   ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 172.65.32.248
Name:   ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com
Address: 2606:4700:60:0:f53d:5624:85c7:3a2c

[root@server2 ~]# ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=59 time=6.39 ms
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=2 ttl=59 time=6.09 ms
^C
--- ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 6.095/6.247/6.399/0.152 ms
 
You must log in or register to reply here.

Similar threads

tkalfaoglu
Issue Watchdog Error: The Wdcollect service is not responding.
Replies
7
Views
2K
tkalfaoglu
tkalfaoglu
BrinsleyP
Resolved How to upgrade cURL in CentOS 7.4
Replies
5
Views
12K
IgorG
IgorG
J
Resolved Protocol https not supported or disabled in libcurl
Replies
3
Views
17K
Jan Bludau
Jan Bludau
Back
Top