Bad handshake error during renew

I noticed one of the certificates for a domain I have did not auto-renew and I'm getting some errors. I've included the log file output below. I'm not sure if I need to make some updates to my server. I tried restarting the server. Any advice. It seems recent and soon I'll have other certificates expiring on the same server. It'd be great to fix this before that happens.

My domain is:
https://workalicious.com/

I ran this command:
sudo certbot --apache -d workalicious.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 438, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1716, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1456, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 345, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 846, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 326, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 325, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 445, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 630, in urlopen
    raise SSLError(e)
urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
Server version: Apache/2.4.46 (Ubuntu)

The operating system my web server runs on is (include version):
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-042stab144.1 x86_64)

My hosting provider, if applicable, is:
Media Temple DV

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

I've attached the log file output as an attachment. Any help or guidance to fix the error and get back up and running with an LE Certificate would be appreciated. Thanks!

le-workalicious-log-11-12-21.txt (6.3 KB)

Dave

OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

It looks like your system is missing the ISRG Root X1 root certificate from your CA certificate store. The certificate chain the Lets Encrypt acme server sends changed on Sept30 due to expiration of DST Root CA X3 at that time.

Try:
sudo apt-get update
sudo apt update

Then, what shows:
sudo apt install ca-certificates

4 Likes

Thanks Mike! That was the fix!

When I did my usual command: sudo certbot --apache -d workalicious.com I got a message:

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.

I found this worked: certbot --installer apache -d workalicious.com
I'm back up and running with a Certificate. Thanks!

root@pcdg-6c5p:~# certbot --installer apache -d workalicious.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer apache
2 Likes

You might want to also add in the "www".
sudo certbot --apache -d workalicious.com -d www.workalicious.com
[if that is also being served (as alias) in your vhost config - I see DNS returns the same IP]

3 Likes

:slight_smile: Thanks @rg305. I did end up having to add that so my redirect would work.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.