0

When I am using this command to generate a certificate on CentOS 7.6:

acme.sh --issue --dns dns_cf  -d poemhub.top -d *.poemhub.top -k ec-256

shows this error:

[Sun Jul 11 23:09:28 CST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Jul 11 23:09:29 CST 2021] Multi domain='DNS:poemhub.top,DNS:*.poemhub.top'
[Sun Jul 11 23:09:29 CST 2021] Getting domain auth token for each domain
[Sun Jul 11 23:09:30 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun Jul 11 23:09:31 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun Jul 11 23:09:31 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun Jul 11 23:09:31 CST 2021] Could not get nonce, let's try again.
[Sun Jul 11 23:09:34 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun Jul 11 23:09:35 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun Jul 11 23:09:35 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun Jul 11 23:09:35 CST 2021] Could not get nonce, let's try again.
[Sun Jul 11 23:09:39 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun Jul 11 23:09:39 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun Jul 11 23:09:39 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun Jul 11 23:09:39 CST 2021] Could not get nonce, let's try again.
[Sun Jul 11 23:09:44 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun Jul 11 23:09:44 CST 2021] Create new order error. Le_OrderFinalize not found. 
[Sun Jul 11 23:09:44 CST 2021] Please add '--debug' or '--log' to check more details.
[Sun Jul 11 23:09:44 CST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

where is going wrong and what should I do to fix it? what I have tried to upgrade the newest version of acme.sh:

[root@izbp19pke6x0v6ruecuy1yz poemhub.top_ecc]# acme.sh --upgrade
[Sun Jul 11 23:09:19 CST 2021] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 35
[Sun Jul 11 23:09:21 CST 2021] Already uptodate!
[Sun Jul 11 23:09:21 CST 2021] Upgrade success!
Artem S. Tashkinov
  • 26,392
  • 4
  • 33
  • 64
Dolphin
  • 499
  • 1
  • 13
  • 36

2 Answers2

2

Your curl doesn't support SSL/TLS properly.

CURLE_SSL_CONNECT_ERROR (35)

A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others.

where is going wrong and what should I do to fix it?

CentOS 7.6 is a very old version of this distro, unsupported as well and most likely contains outdated implementations of the openssl/gnutls libraries, curl and the CA storage. You need to upgrade in order to fix the issue.

Please upgrade to CentOS 7.9 or RHEL 7.9 which has been free for personal use for quite some time now.

Artem S. Tashkinov
  • 26,392
  • 4
  • 33
  • 64
  • Judging from your questions you now have half a dozen problems due to the same root cause. – Artem S. Tashkinov Jul 11 '21 at 15:32
  • change the operation system is so hard because I have so many apps run in this operation system, change it may take a huge work.Artem S. Tashkinov – Dolphin Jul 11 '21 at 15:36
  • `sudo dnf update` should work for you seamlessly. Updates between minor versions of RHEL are quite safe and normally don't break anything. You could at the very least grab the latest version of `openssl`, `curl`, `gnutls`, `ca-certificates` and update them. – Artem S. Tashkinov Jul 11 '21 at 15:37
  • CentOS 7.6 is less than three years old, it isn't ancient. It seems strange that such a recent distro would have issues with something as well established as SSL. What makes you so sure that an upgrade would fix it and there isn't a misconfiguration in the OP's system? – terdon Jul 12 '21 at 08:36
  • It's quite hard to misconfigure curl/ca-certificates storage but possible. Maybe it's the issue but it sounds very unlikely because I see no reason to break CA certificates. – Artem S. Tashkinov Jul 12 '21 at 11:52
0

Today I had the same problem on Debian 11 with all upgrades installed. It happened in different places randomly. I just retried again and again with short intervals. After 5 attempts or so I could get my certificates.

sekrett
  • 199
  • 1
  • 2