(Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

Ilovesmallbeez · July 29, 2022, 10:02pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hybridwork.click

I ran this command: certbot --nginx

It produced this output:
An unexpected error occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl.py", line 332, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in init
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): nginx

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is:Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):
I don´t know
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.31.0

Bruce5051 · July 29, 2022, 10:09pm

Hello @Ilovesmallbeez, and welcome to the LE community forum

I would suggest updating your version of Certbot, that is very old.
Certbot 1.29.0 is the present latest release - Releases · certbot/certbot · GitHub
And instruction are here on Certbot usage - Certbot Instructions | Certbot

Here is a Mozilla's recommendation for a starting point of a Web Server configuration Mozilla SSL Configuration Generator

MikeMcQ · July 29, 2022, 11:45pm

If this curl also fails with the verify error then your CA Certificate store is out of date

curl -I https://acme-v02.api.letsencrypt.org

To update your CA store:

Do:
sudo apt-get update
sudo apt update

Then, this and show output:
sudo apt install ca-certificates

rg305 · July 30, 2022, 2:02am

OR

Maybe there is an SSL inspection device inline?

Ilovesmallbeez · July 30, 2022, 10:44am

Thanks for all your messages.
The digital ocean tech support told me the problem is the port 443 was closed

PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

Does anyone know how to open this port via command?

Thanks

MikeMcQ · July 30, 2022, 11:49am

I don't think that is what is causing this problem. Your problem was with an outbound connection. Those ports are for inbound connections.

Is the below curl successful or does it also show verify error?

curl -I https://acme-v02.api.letsencrypt.org

Ilovesmallbeez · July 30, 2022, 12:23pm

root@erxes0176onubuntu1804-s-2vcpu-4gb-fra1-01:~# curl -I https://acme-v02.api.letsencrypt.org
HTTP/2 200 
server: nginx
date: Sat, 30 Jul 2022 12:22:08 GMT
content-type: text/html
content-length: 1540
last-modified: Thu, 23 Jun 2022 21:18:47 GMT
etag: "62b4d8b7-604"
x-frame-options: DENY
strict-transport-security: max-age=604800

MikeMcQ · July 30, 2022, 12:29pm

Thanks. That proves you can make https connections outbound and also that your CA Cert store is ok.

As Bruce noted earlier, your certbot is very old. You should upgrade to the snap install using the below instructions. Some certain old certbot / python configs don't use the same CA Cert store so upgrading will ensure that is not a problem and gets you current anyway.

Ilovesmallbeez · July 30, 2022, 12:47pm

Thanks for your great help. problem was solved

system · August 29, 2022, 12:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.