Attempting to renew cert: unexpected error: bad handshake

My operating system is: Slackware 14.1 (32-bit)

I installed Certbot from source code (certbot-1.4.0, certbot-1.4.0.tar.gz).

I ran this command:
certbot renew --config-dir=config --logs-dir=logs --work-dir=work

It produced this output:
Attempting to renew cert ([...]) from /home/[...]/[...].cf.conf produced an unexpected error: bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],). Skipping.

Certbot's behavior differed from what I expected because: Renew failure.

The version is:

$ certbot --version
certbot 1.4.0

I don't understand it worked for years and now it does not work anymore, I am unable to renew my certificate, do you know why please?

Thank you.
Best regards.

Welcome to the community @YuGiOhJCJ

At the end of Sept a root certificate for Let's Encrypt expired. There are numerous posts on this topic. As part of addressing that the certificate chain sent by Let's Encrypt for its ACME server changed. It now uses what we are call the "short chain" which terminates in a cert called ISRG Root X1. Clients, like certbot, need to be able to validate that chain.

You have a few options:

  1. Update your CA Certificate store to include ISRG Root X1. I am not at all familiar with your os version so cannot advise specifics.
  2. Use a different CA to issue your certificates

As to option 1, see this thread for possible ways to do that on slackware 14.1. Perhaps ask the slackware community about it. If you do find a way to install ISRG Root X1 please post back to help future readers of this forum.

If that does not work and a different CA is not viable you could, as a last resort, have certbot ignore the security checks on the cert chain from the LE server. You do this by adding --no-verify-ssl to the command line. If you choose this option you should take care to validate the certificates you receive just to be sure they are legit.

2 Likes

I haven't used Slackware since maybe 1999, but I gave it a quick try and it seems that these steps were necessary to get it to pick up the necessary updated CA certificates:

  1. Make sure the ca-certificates and perl packages are installed and fully upgraded (ca-certificates-20211005-noarch-1_slack14.2.txz as of when I tried).

  2. Forcibly regenerate the CA certificates (I had to do this because initially I did not have perl installed):

    update-ca-certificates --fresh
    
  3. Try Certbot again.

3 Likes

I wrote something wrong in my first message.
I am not on Slackware 14.2 (64-bit) but on Slackware 14.1 (32-bit).
I edited.

Yes, I already updated my CA Certificate store to include ISRG Root X1.
To do that, I upgraded the package from ca-certificates-20130906-noarch-1.txz to ca-certificates-20211005-noarch-1_slack14.1.txz.

Then I ran:

$ sudo update-ca-certificates 
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
$ find /usr/share/ca-certificates/mozilla -name 'ISRG*'
/usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
$ find /etc/ssl -name 'ISRG*'
/etc/ssl/certs/ISRG_Root_X1.pem
$ ls -l /etc/ssl/certs/ISRG_Root_X1.pem 
lrwxrwxrwx 1 root root 51 Oct  3 21:31 /etc/ssl/certs/ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
$ sudo reboot

However, it does not work.

So, I think that the problem is the version of OpenSSL I am using:

$ openssl version
OpenSSL 1.0.2h  3 May 2016

Do you think that upgrading to OpenSSL 1.1.1k could fix my problem please?

1 Like

Yes.

1 Like

Updating from 2013 certs to 2021 certs should have done more than "0 added, 0 removed".

What does this say:

 grep -E "ISRG Root|DST Root" /etc/ssl/certs/ca-certificates.crt

Also this:

 curl -I https://acme-v02.api.letsencrypt.org
2 Likes

I have now upgraded to OpenSSL 1.1.1k.
However, the problem is still there:

$ certbot renew --config-dir=config --logs-dir=logs --work-dir=work
Saving debug log to /home/[...]/letsencrypt.log
[...]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /home/[...]/[...].cf.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert ([...].cf) from /home/[...]/[...].cf.conf produced an unexpected error: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
[...]
  /home/[...]/fullchain.pem (failure)
[...]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
11 renew failure(s), 0 parse failure(s)

This command gives no result:

$ grep -E "ISRG Root|DST Root" /etc/ssl/certs/ca-certificates.crt

This command gives a result:

$ curl -I https://acme-v02.api.letsencrypt.org
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 25 Nov 2021 19:11:06 GMT
Content-Type: text/html
Content-Length: 2174
Last-Modified: Wed, 18 Aug 2021 16:36:13 GMT
Connection: keep-alive
ETag: "611d36fd-87e"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

So, I don't know what to do now because I have already updated CA Certificate store and OpenSSL.

What can I do please?

Until we can sort this all out, try adding:
--no-verify-ssl

1 Like

Since curl works now, I think most likely, one of the Python packages is using an outdated bundle of CA certificates.

What's your installed version of these packages:

  • python-certifi
  • python-requests
  • python-urllib3
1 Like

This is the complete list of Python packages I have installed for certbot:

  • python-2.7.18
  • python-acme-1.4.0
  • python-asn1crypto-1.4.0
  • python-certbot-1.4.0
  • python-cffi-1.8.3
  • python-configargparse-0.11.0
  • python-configobj-5.0.6
  • python-cryptography-2.1.4
  • python-distro-1.5.0
  • python-enum34-1.1.6
  • python-funcsigs-1.0.2
  • python-idna-2.1
  • python-ipaddress-1.0.17
  • python-josepy-1.1.0
  • python-mock-2.0.0
  • python-ndg_httpsclient-0.4.2
  • python-parsedatetime-2.1
  • python-pbr-1.10.0
  • python-pyasn1-0.1.9
  • python-pycparser-2.16
  • python-pyopenssl-17.5.0
  • python-pyrfc3339-1.0
  • python-pytz-2016.7
  • python-requests-2.11.1
  • python-requests-toolbelt-0.8.0
  • python-setuptools-28.8.0
  • python-six-1.9.0
  • python-zope-component-4.3.0
  • python-zope-event-4.2.0
  • python-zope-interface-4.3.2

As you can see I have:

  • python-cffi-1.8.3
  • python-requests-2.11.1
  • but python-urllib3 is not installed because I don't see any error while using certbot asking for this package

Thanks.

The bundled CA certificates that come with python-requests-2.11.1 do not include the root certificate that Let's Encrypt is now using.

Those bundled CA certificates were last updated before Let's Encrypt had even launched, in the second half of 2015.

If you can install a relatively recent version of python-certifi (say, the one available in Slackware 14.2), then requests should pick it up and things should start working again.

3 Likes

I have upgraded the python-requests Python package and installed the python-certifi Python package.
Some dependencies were not satisfied so I had to upgrade and install other Python packages too.
This is the new complete list of Python packages I have installed for certbot (in bold, what has changed):

  • python-2.7.18
  • python-acme-1.4.0
  • python-asn1crypto-1.4.0
  • python-certbot-1.4.0
  • python-certifi-2019.3.9
  • python-cffi-1.8.3
  • python-chardet-4.0.0
  • python-configargparse-0.11.0
  • python-configobj-5.0.6
  • python-cryptography-2.1.4
  • python-distro-1.5.0
  • python-enum34-1.1.6
  • python-funcsigs-1.0.2
  • python-idna-2.5
  • python-ipaddress-1.0.17
  • python-josepy-1.1.0
  • python-mock-2.0.0
  • python-ndg_httpsclient-0.4.2
  • python-parsedatetime-2.1
  • python-pbr-1.10.0
  • python-pyasn1-0.1.9
  • python-pycparser-2.16
  • python-pyopenssl-17.5.0
  • python-pyrfc3339-1.0
  • python-pytz-2016.7
  • python-requests-2.26.0
  • python-requests-toolbelt-0.8.0
  • python-setuptools-28.8.0
  • python-six-1.9.0
  • python-urllib3-1.25.2
  • python-zope-component-4.3.0
  • python-zope-event-4.2.0
  • python-zope-interface-4.3.2

Result:

$ sudo certbot renew --config-dir=config --logs-dir=logs --work-dir=work
[...]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /home/[...]/[...].cf.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [...].cf
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed without reload, fullchain is
/home/[...]/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[...]

So, it is a success!

Now the problem I have is that as I have upgraded OpenSSL, a lot of my services are not working anymore on my server: DNS (bind), Web (httpd), VoIP (mumble), IRC (ircd-hybrid), ...
Indeed, these services had the old OpenSSL library as dependency and now they have to be rebuilt and linked against the new OpenSSL library.
I have to rebuild all of these programs, this will be long.

Anyway, thanks to all participants, the problem with certbot is fixed.
Best regards.

2 Likes