Acme_tiny : Error getting directory:

Hi All,

When I try to renew my certificate using acme_tiny python script, I have exactly the same problem as the one described in this thread :
Unfortunatly, I didn't find any clear solution in the post.

Before I give you all the details, you have to know that

  • The script is automatically called by cron table
  • The last correct renewal is dated 25/09/2021
  • before that date, It had been working perfectly for many weeks without any problem. .
  • As far as I know, no change at all (no update, nothing) has been done on the server around this date
  • I am a developper and not a server admin so sometimes, I can get confused with that task. Please be indulgent :slight_smile:

I ran this command: call acme_tiny python script
note : I tried also with the last version of the script found here with the same result

It produced this output:

Parsing account key...
Parsing CSR...
Found domains:
Getting directory...
Traceback (most recent call last):
  File "/etc/letsencrypt/", line 199, in <module>
  File "/etc/letsencrypt/", line 195, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER,, disable_check=args.disable_check, directory_url=args.directory_url,, check_port=args.check_port)
  File "/etc/letsencrypt/", line 105, in get_crt
    directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
  File "/etc/letsencrypt/", line 46, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
Job for apache2.service failed. See 'systemctl status apache2.service' and 'journalctl -xn' for details.
unable to load certificate
140613104866960:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

Note : when I try to see what I can find at the adress, I get a json file containing :

  "keyChange": "",
  "meta": {
    "caaIdentities": [
    "termsOfService": "",
    "website": ""
  "newAccount": "",
  "newNonce": "",
  "newOrder": "",
  "revokeCert": "",
  "xJuwsI2zqiE": ""

My web server is (include version):
Server version: Apache/2.4.10 (Debian)

on a Debian machine.

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no, command line only

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I am not using certbot

Thanks in advance for your support



Hi @pich and welcome to the LE community forum :slight_smile:

Please show:
openssl version
curl --version
yum list | grep urllib


OpenSSL 1.0.1k 8 Jan 2015
no curl and no yum installed.


How do you keep your system updated?

I see... You don't!


Probably using apt or something similar for Debian systems :wink:


OK, then how about:
apt list | grep urllib


Although I guess OP doesn't really update indeed, as there is no apache2 package version 2.4.10 currently packaged for any Debian version, everything is more recent... Same goes for OpenSSL.


I know that my system is far to be up to date (shame), and I know that it might be the problem.
But why was it working a few weeks ago ? Did something change on letsencrypt side at that date ?

Anyway, below are informartion concerning urllib

python-urllib3/oldoldstable 1.9.1-3+deb8u1 all [upgradable from: 1.9.1-3]
python-urllib3-whl/oldoldstable 1.9.1-3+deb8u1 all
python3-urllib3/oldoldstable 1.9.1-3+deb8u1 all

Thanks again for your help and support :slight_smile:


Yes, after Sept30 the Let's Encrypt servers changed to using a cert chain ending in ISRG Root X1. The prior chain ended in DST Root CA X3 but it expired that day. There have been numerous posts about this. Your system needs the ISRG root cert to validate that chain. The ISRG root is over 5 years old so most systems have it but yours probably does not.

You likely need to update your CA certificate store. Some older python libs had their own store (IIRC) but I do not know those well.

You can check your system store by showing us results of this:

grep -E 'ISRG Root|DST Root|Daddy' /etc/ssl/certs/ca-certificates.crt

You should see at least some output. If not let us know that too. Thanks


OK, thanks all for the explanation.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.