Bad com renewing certificate

tfrendberg · August 13, 2024, 1:36am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: freakalicious.us

I ran this command: acme-client -v freakalicious.us

It produced this output:acme-client: /etc/ssl/freakalicious.us:443.crt: certificate renewable: -11 days left
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: 172.65.32.248: tls_write: certificate verification failed: unable to get local issuer certificate
acme-client: 172.65.32.248: tls_read: handshake failed: error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed
acme-client: https://acme-v02.api.letsencrypt.org/directory: bad comm
acme-client: bad exit: netproc(39614): 1

My web server is (include version): openBSD httpd

The operating system my web server runs on is (include version): openBSD 7.4

My hosting provider, if applicable, is: Vultr

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not using certbot

Bruce5051 · August 13, 2024, 1:46am

Supplemental information to assist community volunteers and others

Also see this thread Acme-client bad comm cert verify failed

Edit

Are the Date and Time correct on the system?

And this acme-client tls_read: handshake failed - DaemonForums

MikeMcQ · August 13, 2024, 2:06am

Welcome to the community @tfrendberg

Looks like a problem verifying the cert used by the Let's Encrypt API.

Would you show output of this?

curl -v https://acme-v02.api.letsencrypt.org/directory

Bruce5051 · August 13, 2024, 2:18am

More supplemental information
The expired certificate being served does not supply a full chain

tfrendberg · August 13, 2024, 2:21am

Host acme-v02.api.letsencrypt.org:443 was resolved.
IPv6: 2606:4700:60:0:f53d:5624:85c7:3a2c
IPv4: 172.65.32.248
Trying 172.65.32.248:443...
Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443
ALPN: curl offers h2,http/1.1
TLSv1.3 (OUT), TLS handshake, Client hello (1):
CAfile: /etc/ssl/cert.pem
CApath: none
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.3 (IN), TLS handshake, Unknown (8):
TLSv1.3 (IN), TLS handshake, Certificate (11):
SSL certificate problem: unable to get local issuer certificate
Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

tfrendberg · August 13, 2024, 2:24am

time is correct

Bruce5051 · August 13, 2024, 2:27am

I see this with my OpenBSD 7.5


$ curl -v https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Jun 25 23:02:03 2024 GMT
*  expire date: Sep 23 23:02:02 2024 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R10
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x100100d0000)
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.79.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< server: nginx
< date: Tue, 13 Aug 2024 02:25:12 GMT
< content-type: application/json
< content-length: 746
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
< 
{
  "EkrH68gDSTY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

MikeMcQ · August 13, 2024, 2:32am

@tfrendberg What does this show

sudo ls -l /etc/ssl/cert.pem

@Bruce5051 Same question for you

And @tfrendberg this additional command just for you

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head

Bruce5051 · August 13, 2024, 2:35am

$ ls -l /etc/ssl/cert.pem     
-r--r--r--  1 root  bin  348925 Apr  8 17:54 /etc/ssl/cert.pem

tfrendberg · August 13, 2024, 12:11pm

freakalicious# ls -l /etc/ssl/cert.pem
-r--r--r--  1 root  wheel  4047 May  3 03:11 /etc/ssl/cert.pem

freakalicious# echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
depth=1 CN = acme-v02.api.letsencrypt.org
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=acme-v02.api.letsencrypt.org
   i:/C=US/O=Let's Encrypt/CN=R10
 1 s:/C=US/O=Let's Encrypt/CN=R10
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
---
...

linkp · August 13, 2024, 12:42pm

Console output is easier to read if you place it between two lines that contain only the backticks like this:

```
Your console output here
And here
```

It will format as follows:

Your console output here
And here

The smaller size of your root certificate store suggests that you may be missing vital trusted root CAs. My /etc/ssl/cert.pem is the same size as the one found by @Bruce5051. I'm also on OpenBSD 7.5. You might want to compare your /etc/ssl/cert.pem against another from an official source.

github.com

libressl/openbsd/blob/master/src/lib/libcrypto/cert.pem

# $OpenBSD: cert.pem,v 1.28 2023/11/27 21:44:21 tb Exp $
### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068

=== /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1977337328857672817 (0x1b70e9d2ffae6c71)
    Signature Algorithm: sha256WithRSAEncryption
        Validity
            Not Before: Sep 23 15:22:07 2014 GMT
            Not After : May  5 15:22:07 2036 GMT
        Subject: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                65:CD:EB:AB:35:1E:00:3E:7E:D5:74:C0:1C:B4:73:47:0E:1A:64:2F
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:1
            X509v3 Certificate Policies:
                Policy: X509v3 Any Policy

This file has been truncated. show original

Osiris · August 13, 2024, 12:52pm

4047 is about the size of one, maybe two (root) certificates.

I'm guessing someone messed up and has overwritten /etc/ssl/cert.pem in the past.

MikeMcQ · August 13, 2024, 12:58pm

The date of your last successful cert was May 3 at 3:11, which happens to match the date shown for your cert.pem in your root store. Looks like you overlaid your root store with something from that.

Osiris · August 13, 2024, 1:41pm

That cert + the R3 PEM file are together 4046 bytes. Probably one byte extra for a blank line or something like that makes 4047.

Looks like someone overwrote the root store with fullchain.pem from acme-client (or however the full chain from the ACME server is called in that client).

tfrendberg · August 13, 2024, 3:10pm

Assuming I cannot find a backup of the original, how can I start over with a new cert? Do I need to revoke the certificate first?

Osiris · August 13, 2024, 3:12pm

No.

You need to fix your systems root certificate store first, which is why you can't even connect to the Let's Encrypt ACME server. And most likely any other HTTPS website to begin with from that system.

The original OpenBSD cert.pem root certificate store file is already linked above in the thread.

Bruce5051 · August 13, 2024, 3:13pm

I would start by getting a copy of /etc/ssl/cert.pem from OpenBSD.

tfrendberg · August 14, 2024, 12:35am

I had a backup copy of cert.pem. I got this output. Looks good... is there any other issues you can see?

acme-client: /etc/ssl/freakalicious.us:443.crt: certificate renewable: -12 days left
acme-client: https://acme-v02.api.letsencrypt.org/directory: directories
acme-client: acme-v02.api.letsencrypt.org: DNS: 172.65.32.248
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/389954966186
acme-client: challenge, token: H9wWFX3a5VChWeGa-Elk9xIXQ8fdLptFL-X2SNTwXm4, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966186/xVCczw, status: 0
acme-client: /var/www/acme/H9wWFX3a5VChWeGa-Elk9xIXQ8fdLptFL-X2SNTwXm4: created
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/389954966196
acme-client: challenge, token: AJW-Ungdj_04qT0rcvfpbmD5WQPN51ZIyPY5911rXTo, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966196/0dp-bg, status: 0
acme-client: /var/www/acme/AJW-Ungdj_04qT0rcvfpbmD5WQPN51ZIyPY5911rXTo: created
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/389954966206
acme-client: challenge, token: I801u-RpV7KE4lv9K7shjS3eVwr-4zq66BgB1JoHnSQ, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966206/doo-VA, status: 0
acme-client: /var/www/acme/I801u-RpV7KE4lv9K7shjS3eVwr-4zq66BgB1JoHnSQ: created
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/389954966216
acme-client: challenge, token: UvbI3zGqvVC2bar7bxj-u7yXtadUZtWbBURvhyJBUo0, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966216/qNrlcA, status: 0
acme-client: /var/www/acme/UvbI3zGqvVC2bar7bxj-u7yXtadUZtWbBURvhyJBUo0: created
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/389954966226
acme-client: challenge, token: LNhzZUQql1f_88hNiCjEzNqEghi-PAjX3cnZVMTDuRE, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966226/5FJojQ, status: 0
acme-client: /var/www/acme/LNhzZUQql1f_88hNiCjEzNqEghi-PAjX3cnZVMTDuRE: created
acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966186/xVCczw: challenge
acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966196/0dp-bg: challenge
acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966206/doo-VA: challenge
acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966216/qNrlcA: challenge
acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966226/5FJojQ: challenge
acme-client: order.status 0
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/389954966186
acme-client: challenge, token: H9wWFX3a5VChWeGa-Elk9xIXQ8fdLptFL-X2SNTwXm4, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966186/xVCczw, status: 2
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/389954966196
acme-client: challenge, token: AJW-Ungdj_04qT0rcvfpbmD5WQPN51ZIyPY5911rXTo, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966196/0dp-bg, status: 2
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/389954966206
acme-client: challenge, token: I801u-RpV7KE4lv9K7shjS3eVwr-4zq66BgB1JoHnSQ, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966206/doo-VA, status: 2
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/389954966216
acme-client: challenge, token: UvbI3zGqvVC2bar7bxj-u7yXtadUZtWbBURvhyJBUo0, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966216/qNrlcA, status: 2
acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/389954966226
acme-client: challenge, token: LNhzZUQql1f_88hNiCjEzNqEghi-PAjX3cnZVMTDuRE, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/389954966226/5FJojQ, status: 2
acme-client: order.status 1
acme-client: https://acme-v02.api.letsencrypt.org/acme/finalize/1406564706/296054317326: certificate
acme-client: order.status 3
acme-client: https://acme-v02.api.letsencrypt.org/acme/cert/031bd6b71cd8ac379c0403ec303ab0c934e6: certificate
acme-client: /etc/ssl/freakalicious.us:443.crt: created

(Edit: changed 3 periods to backticks for formatting)

tfrendberg · August 14, 2024, 12:43am

@Bruce5051 where is this tool?

Bruce5051 · August 14, 2024, 12:48am

Topic		Replies	Views
Unable to renew cert Help	1	592	January 1, 2021
Certificate renewal failed for second-level domain Help	4	727	December 18, 2021
How to renew my certificate Help	5	650	June 14, 2020
Acme-v2 warning vs. acme-v1 Help	7	4213	March 21, 2020
Cannot renew certificate Help	16	1153	May 15, 2021

Bad com renewing certificate

Are the Date and Time correct on the system?

Related topics