Error setting up SSL

While trying to set up SSL via the WebUI, I get the below error.

RAN: /usr/bin/certbot certonly --authenticator standalone --pre-hook systemctl stop apache2 --post-hook systemctl start apache2 --preferred-challenges http --agree-tos --non-interactive --domain ***** -m *****


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/contrib/”, line 417, in wrap_socket
File “/usr/lib/python3/dist-packages/OpenSSL/”, line 1426, in do_handshake
self._raise_ssl_error(self._ssl, result)
File “/usr/lib/python3/dist-packages/OpenSSL/”, line 1166, in _raise_ssl_error
raise SysCallError(errno, errorcode.get(errno))
OpenSSL.SSL.SysCallError: (104, ‘ECONNRESET’)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-pac… (1425 more, please see e.stderr)

For SSL I use a reverse proxy service, installed in my opnsense router.

It’s very easy to manage and the letsencrypt service keeps my certs valid.

I highly recommend it.

Any additional help here? I am using the AWS web appliance and would like to use a purchased third part certificate, not a self-signed one.

If you could submit the log files via the “Report problem” link on the bottom?

Since you are on AWS, you could put CloudFront in front of it? The Let’s encrypt certificate should definitely be sufficient, but your instance needs to be reachable form the Let’s encrypt servers on port 80 + 443…

At the moment, we do not allow 80 and 443 out so that would be the cause of this error I believe. The third party cert we would like to bind already has it’s chain trusted by our devices. We also would like the domain it is in to match our corporate .com vanity URL. Is there a way to manually bind a cert to the web instance while keeping that change across updates when using the AMI? I agree that couldfront is an option but one we are not set up to take advantage of at the moment.

Ok, will look into adding that. I guess you have a .pem file and a .key file and they’d both need to be uploaded to the appliance + the domain configured…

Correct. If you can add that, it would be super helpful. In the meantime I will try to get a let’s encrypt cert on there.