Bad Handshake on Renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dorcan.com

I ran this command: certbot -vv renew

It produced this output:
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (dorcan.com) from /etc/letsencrypt/renewal/dorcan.com.conf produced an unexpected error: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",). Skipping.
Traceback was:
Traceback (most recent call last):
File "/opt/csw/lib/python2.7/site-packages/certbot-1.10.0.dev0-py2.7.egg/certbot/_internal/renewal.py", line 472, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/opt/csw/lib/python2.7/site-packages/certbot-1.10.0.dev0-py2.7.egg/certbot/_internal/main.py", line 1181, in renew_cert
le_client = _init_le_client(config, auth, installer)
File "/opt/csw/lib/python2.7/site-packages/certbot-1.10.0.dev0-py2.7.egg/certbot/_internal/main.py", line 610, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/opt/csw/lib/python2.7/site-packages/certbot-1.10.0.dev0-py2.7.egg/certbot/_internal/client.py", line 255, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/opt/csw/lib/python2.7/site-packages/certbot-1.10.0.dev0-py2.7.egg/certbot/_internal/client.py", line 43, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/opt/csw/lib/python2.7/site-packages/acme/client.py", line 831, in init
directory = messages.Directory.from_json(net.get(server).json())
File "/opt/csw/lib/python2.7/site-packages/acme/client.py", line 1168, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/opt/csw/lib/python2.7/site-packages/acme/client.py", line 1118, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/opt/csw/lib/python2.7/site-packages/requests/sessions.py", line 468, in request
resp = self.send(prep, **send_kwargs)
File "/opt/csw/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/opt/csw/lib/python2.7/site-packages/requests/adapters.py", line 433, in send
raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/dorcan.com/fullchain.pem (failure)

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Solaris 10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.10.0.dev0

I don't think Certbot officially supports running on Solaris, but my guess would be that you need to upgrade the certifi and/or requests Python packages which is installed in /opt/csw/lib/python2.7/.

The likely cause is that the CA trust store that is being used by your copy of requests (see here) does not contain the "ISRG Root X1" root. Upgrading the relevant package should resolve the issue for you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.