An unexpected error occurred: requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines


#1

I am having problem to generate the certifcate and I am getting this

**root@notificacion-server:~# certbot certonly --standalone -d printserverjq.com -d www.printserverjq.com
**
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): jqmicro@gmail.com
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 417, in wrap_socket
cnx.do_handshake()
File “/usr/lib/python3/dist-packages/OpenSSL/SSL.py”, line 1426, in do_handshake
self._raise_ssl_error(self._ssl, result)
File “/usr/lib/python3/dist-packages/OpenSSL/SSL.py”, line 1174, in _raise_ssl_error
_raise_current_error()
File “/usr/lib/python3/dist-packages/OpenSSL/_util.py”, line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 594, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 350, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 837, in validate_conn
conn.connect()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 323, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl
.py", line 324, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 424, in wrap_socket
raise ssl.SSLError(‘bad handshake: %r’ % e)
ssl.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 423, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 624, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,)

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,)
Please see the logfiles in /var/log/letsencrypt for more details.

I did this command with curl

root@notificacion-server:~# curl -v https://acme-v01.api.letsencrypt.org/directory

  • Trying 104.107.50.145…
  • TCP_NODELAY set
  • Connected to acme-v01.api.letsencrypt.org (104.107.50.145) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS alert, Server hello (2):
  • SSL certificate problem: certificate is not yet valid
  • Curl_http_done: called premature == 1
  • stopped the pause stream!
  • Closing connection 0
    curl: (60) SSL certificate problem: certificate is not yet valid
    More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

-----------------The log has this--------------------------------------

Blockquote

2018-01-06 21:40:25,287:DEBUG:certbot.main:certbot version: 0.28.0
2018-01-06 21:40:25,287:DEBUG:certbot.main:Arguments: [’–standalone’, ‘-d’, ‘printserverjq.com’, ‘-d’, ‘www.printserverjq.com’]
2018-01-06 21:40:25,288:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-01-06 21:40:25,296:DEBUG:certbot.log:Root logging level set at 20
2018-01-06 21:40:25,297:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-01-06 21:40:25,298:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2018-01-06 21:40:25,405:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f2fec9f4748>
Prep: True
2018-01-06 21:40:25,407:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f2fec9f4748> and installer None
2018-01-06 21:40:25,407:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2018-01-06 21:40:45,793:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-01-06 21:40:45,799:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-01-06 21:40:45,814:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 417, in wrap_socket
cnx.do_handshake()
File “/usr/lib/python3/dist-packages/OpenSSL/SSL.py”, line 1426, in do_handshake
self._raise_ssl_error(self._ssl, result)
File “/usr/lib/python3/dist-packages/OpenSSL/SSL.py”, line 1174, in _raise_ssl_error
_raise_current_error()
File “/usr/lib/python3/dist-packages/OpenSSL/_util.py”, line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 594, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 350, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 837, in validate_conn
conn.connect()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 323, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl
.py", line 324, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 424, in wrap_socket
raise ssl.SSLError(‘bad handshake: %r’ % e)
ssl.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 423, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 624, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.28.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1340, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1209, in certonly
le_client = _init_le_client(config, auth, installer)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 604, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 521, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 181, in register
acme = acme_from_config_key(config, key)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 51, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 763, in init
directory = messages.Directory.from_json(net.get(server).json())
File “/usr/lib/python3/dist-packages/acme/client.py”, line 1097, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 1046, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File “/usr/lib/python3/dist-packages/requests/sessions.py”, line 488, in request
resp = self.send(prep, **send_kwargs)
File “/usr/lib/python3/dist-packages/requests/sessions.py”, line 609, in send
r = adapter.send(request, **kwargs)
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 497, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,)
2018-01-06 21:40:45,816:ERROR:certbot.log:An unexpected error occurred:

Blockquote

root@notificacion-server:~# ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r–r-- 1 root root 235192 Dec 28 2018 /etc/ssl/certs/ca-certificates.crt

printserverjq.com

debian 9, Tomcat 8080/8443, LigthHttpD 80, DigitalOcean


#2

Hi,

Could you please share us the output of the following command?

openssl s_client -showcerts -connect printserverjq.com:443 ?

curl -vvv https://acme-v02.api.letsencrypt.org/directory

Thank you


#3

Your server is from the future past :spooky:.

Check that NTP is enabled and active:

timedatectl status

Edit: past, not future, oops


#4

Your computer’s clock is 1 year slow.


#5

Yes, I run ntp to sync date and that was all!!
The problem was the date , Thks!! I had 2 days with this problem!! :slight_smile:


closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.