Acme_tiny : Error getting directory:

pich · January 3, 2022, 5:55pm

Hi All,

When I try to renew my certificate using acme_tiny python script, I have exactly the same problem as the one described in this thread : https://community.letsencrypt.org/t/directory-access-problem/161112
Unfortunatly, I didn't find any clear solution in the post.

Before I give you all the details, you have to know that

The script is automatically called by cron table
The last correct renewal is dated 25/09/2021
before that date, It had been working perfectly for many weeks without any problem. .
As far as I know, no change at all (no update, nothing) has been done on the server around this date
I am a developper and not a server admin so sometimes, I can get confused with that task. Please be indulgent

I ran this command: call acme_tiny python script
note : I tried also with the last version of the script found here https://github.com/diafygi/acme-tiny with the same result

It produced this output:

Parsing account key...
Parsing CSR...
Found domains: fmst.ecagroup.com
Getting directory...
Traceback (most recent call last):
  File "/etc/letsencrypt/acme_tiny.py", line 199, in <module>
    main(sys.argv[1:])
  File "/etc/letsencrypt/acme_tiny.py", line 195, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port)
  File "/etc/letsencrypt/acme_tiny.py", line 105, in get_crt
    directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
  File "/etc/letsencrypt/acme_tiny.py", line 46, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
Job for apache2.service failed. See 'systemctl status apache2.service' and 'journalctl -xn' for details.
unable to load certificate
140613104866960:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

Note : when I try to see what I can find at the adress https://acme-v02.api.letsencrypt.org/directory, I get a json file containing :

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "xJuwsI2zqiE": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}

My web server is (include version):
Server version: Apache/2.4.10 (Debian)

on a Debian machine.

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no, command line only

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I am not using certbot

Thanks in advance for your support

Antoine

rg305 · January 3, 2022, 6:51pm

Hi @pich and welcome to the LE community forum

Please show:
openssl version
curl --version
yum list | grep urllib

pich · January 4, 2022, 7:52am

OpenSSL 1.0.1k 8 Jan 2015
no curl and no yum installed.

rg305 · January 4, 2022, 3:27pm

How do you keep your system updated?

OHHH!!!
I see... You don't!

Osiris · January 4, 2022, 5:27pm

Probably using apt or something similar for Debian systems

rg305 · January 4, 2022, 5:29pm

OK, then how about:
apt list | grep urllib

Osiris · January 4, 2022, 5:30pm

Although I guess OP doesn't really update indeed, as there is no apache2 package version 2.4.10 currently packaged for any Debian version, everything is more recent... Same goes for OpenSSL.

pich · January 5, 2022, 8:07am

I know that my system is far to be up to date (shame), and I know that it might be the problem.
But why was it working a few weeks ago ? Did something change on letsencrypt side at that date ?

Anyway, below are informartion concerning urllib

python-urllib3/oldoldstable 1.9.1-3+deb8u1 all [upgradable from: 1.9.1-3]
python-urllib3-whl/oldoldstable 1.9.1-3+deb8u1 all
python3-urllib3/oldoldstable 1.9.1-3+deb8u1 all

Thanks again for your help and support

MikeMcQ · January 5, 2022, 2:38pm

Yes, after Sept30 the Let's Encrypt servers changed to using a cert chain ending in ISRG Root X1. The prior chain ended in DST Root CA X3 but it expired that day. There have been numerous posts about this. Your system needs the ISRG root cert to validate that chain. The ISRG root is over 5 years old so most systems have it but yours probably does not.

You likely need to update your CA certificate store. Some older python libs had their own store (IIRC) but I do not know those well.

You can check your system store by showing us results of this:

grep -E 'ISRG Root|DST Root|Daddy' /etc/ssl/certs/ca-certificates.crt

You should see at least some output. If not let us know that too. Thanks

pich · January 12, 2022, 8:32am

OK, thanks all for the explanation.

system · February 11, 2022, 8:33am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.