CA Root do Lets Encrypt expirou, certificado não renovou, CentOS 7

Por favor, preencha todos os campos abaixo para que nós possamos ajudar você. Obs.: você deve indicar seu nome de domínio para receber ajuda. Os nomes de domínio dos certificados emitidos são divulgados nos logs da Transparência de Certificados (por exemplo, https://crt.sh/?q=example.com). Assim, não indicar seu nome de domínio não o mantém em segredo, mas torna a nossa ajuda mais difícil.

Posso ler respostas em inglês: sim

Meu nome de domínio é: www.fiscodata.com.br

Executei esse comando: /usr/bin/certbot renew

Produziu essa saída:Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/www.fiscodata.com.br.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Failed to renew certificate www.fiscodata.com.br with error: str returned non-string (type Error)

All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/www.fiscodata.com.br/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Meu servidor web é (com versão): Apache/2.4.6 (CentOS)

O sistema operacional no meu servidor web é (com versão): CentOs 7

O serviço de hospedagem do meu site (se aplicável) é: Algar

Posso acessar um shell root na minha máquina (sim ou não, ou não sei): sim

Uso um painel de controle para administrar meu site (não, ou indique o nome e a versão do painel de controle):não

Bom dia @SergioFisco,

Qual a versão do Certbot que está usando?

Pode compartilhar o arquivo /var/log/letsencrypt/letsencrypt.log ou pelo menos a parte mostrando o contexto dessa tentativa de renovar?

Log de ontem 17/10/2020

2021-10-17 23:50:01,504:DEBUG:certbot._internal.main:certbot version: 1.11.0
2021-10-17 23:50:01,504:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2021-10-17 23:50:01,504:DEBUG:certbot._internal.main:Arguments: []
2021-10-17 23:50:01,504:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-10-17 23:50:01,521:DEBUG:certbot._internal.log:Root logging level set at 20
2021-10-17 23:50:01,521:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-10-17 23:50:01,523:DEBUG:certbot.display.util:Notifying user: Processing /etc/letsencrypt/renewal/www.fiscodata.com.br.conf
2021-10-17 23:50:01,533:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x198ba90> and installer <certbot._internal.cli.cli_utils._Default object at 0x198ba90>
2021-10-17 23:50:01,554:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2021-09-30 13:45:40 UTC.
2021-10-17 23:50:01,554:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing...
2021-10-17 23:50:01,554:INFO:certbot._internal.renewal:Non-interactive renewal: random delay of 211.577772908 seconds
2021-10-17 23:53:33,209:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2021-10-17 23:53:33,211:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot._internal.plugins.standalone:Authenticator
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x198cf90>
Prep: True
2021-10-17 23:53:33,212:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x198cf90> and installer None
2021-10-17 23:53:33,212:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2021-10-17 23:53:33,244:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'', new_authzr_uri=None, terms_of_service=None), 851c2ef9593b01f2269fc8f0cff928d4, Meta(creation_host=u'fiscodatalapp01', register_to_eff=None, creation_dt=datetime.datetime(2021, 7, 2, 14, 42, 58, tzinfo=<UTC>)))> 2021-10-17 23:53:33,250:DEBUG:acme.client:Sending GET request to . 2021-10-17 23:53:33,258:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org 2021-10-17 23:53:33,644:ERROR:certbot._internal.renewal:Failed to renew certificate with error: __str__ returned non-string (type Error) 2021-10-17 23:53:33,648:DEBUG:certbot._internal.renewal:Traceback was: Traceback (most recent call last):  File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 471, in handle_renewal_request    main.renew_cert(lineage_config, plugins, renewal_candidate)  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1233, in renew_cert    le_client = _init_le_client(config, auth, installer)  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 659, in _init_le_client    return client.Client(config, acc, authenticator, installer, acme=acme)  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 255, in __init__    acme = acme_from_config_key(config, self.account.key, self.account.regr)  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 43, in acme_from_config_key    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)  File "/usr/lib/python2.7/site-packages/acme/client.py", line 831, in __init__    directory = messages.Directory.from_json(net.get(server).json())  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1168, in get    self._send_request('GET', url, **kwargs), content_type=content_type)  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1118, in _send_request    response = self.session.request(method, url, *args, **kwargs)  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 486, in request    resp = self.send(prep, **send_kwargs)  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 598, in send    r = adapter.send(request, **kwargs)  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 370, in send    timeout=timeout  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 544, in urlopen    body=body, headers=headers)  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 344, in _make_request    self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 314, in _raise_timeout    if 'timed out' in str(err) or 'did not complete (read)' in str(err): # Python 2.6 TypeError: __str__ returned non-string (type Error) 2021-10-17 23:53:33,648:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2021-10-17 23:53:33,649:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed: 2021-10-17 23:53:33,649:ERROR:certbot._internal.renewal: /etc/letsencrypt/live/www.fiscodata.com.br/fullchain.pem (failure) 2021-10-17 23:53:33,649:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2021-10-17 23:53:33,649:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last):  File "/usr/bin/certbot", line 9, in <module>    load_entry_point('certbot==1.11.0', 'console_scripts', 'certbot')()  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main    return internal_main.main(cli_args)  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1421, in main    return config.func(config, plugins)  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1318, in renew    renewal.handle_renewal_request(config)  File "/usr/lib/python2.7/site-packages/certbot/_internal/renewal.py", line 497, in handle_renewal_request    len(renew_failures), len(parse_failures))) Error: 1 renew failure(s), 0 parse failure(s) 2021-10-17 23:53:33,650:ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)

@_az what do you think of this type error way down inside the Certbot client implementation? It does seem to have been triggered when first trying to connect to the API, and, being CentOS, may suggest difficulty validating the API's certificate—but it didn't produce a very useful error message.

@SergioFisco obrigado pelas informações. No contexto acho provável que seja um dos problemas descrito no tópico

e que uma das soluções lá possa resolver. A mais comumente útil solução lá foi atualizar o pacote ca-certificates no seu servidor CentOS. Entretanto, a mensagem de erro que você recebeu é distinto da mensagem que os usuários do Certbot costumam receber nesse caso e não sei porque, também não sei se isso indica outro tipo de problema.

Outra coisa que pode tentar, para comparação, é curl -v https://acme-v02.api.letsencrypt.org/directory na mesma máquina, só para ver se der um erro de verificação ao se conectar à API.

Yeah it's unfortunate that the underlying error was swallowed in this way.

Edit: oh whoops, of course the error will still be swallowed with the command I suggested. Hmm. I'll try think of something. I think the curl command should probably reveal the true error. CentOS 7's curl does use nss instead of libssl, but hopefully it won't be relevant.

[root@fiscodatalapp01 ~]# curl -v https://acme-v02.api.letsencrypt.org/directory

• About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
• Trying 172.65.32.248...
• Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
• Initializing NSS with certpath: sql:/etc/pki/nssdb
• CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
• Server certificate:

•   subject: CN=acme-v01.api.letsencrypt.org
  

•   start date: Oct 17 20:22:16 2021 GMT
  

•   expire date: Jan 15 20:22:15 2022 GMT
  

•   common name: acme-v01.api.letsencrypt.org
  

•   issuer: CN=R3,O=Let's Encrypt,C=US
  

• NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
• Peer's Certificate issuer is not recognized.
• Closing connection 0
  curl: (60) Peer's Certificate issuer is not recognized.
  More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Thank you!

Could you check these two commands as well:

rpm -q ca-certificates

and

trust list --filter="pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert"

[root@fiscodatalapp01 ~]# rpm -q ca-certificates
ca-certificates-2015.2.6-70.1.el7_2.noarch
[root@fiscodatalapp01 ~]#
[root@fiscodatalapp01 ~]# trust list --filter="pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert"
p11-kit: uri contained unrecognized components, nothing will be extracted

This is very out of date and probably explains the issue. Update the package and try again:

yum -y install ca-certificates

Atualizei o pacote como "_az" indicou e a renovação se fez OK;

Obrigado pelas dicas importantes.