Cert Renewal Fails

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: domain.com

I ran this command: certbot renew

It produced this output:

Processing /etc/letsencrypt/renewal/domain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Attempting to renew cert (uncrate.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",). Skipping.

My web server is (include version): nginx/1.4.6 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 14.04.3 LTS

My hosting provider, if applicable, is: IBM (dedicated server .... yes it's quite old)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.26.1

Auto-renewals have been working fine for this and other domains on this server for at least the past year .... until now.

Hi @markcarey and welcome to the LE community forum :slight_smile:

Ubuntu 14 is extremely outdated and seems to be suffering from a lack of trust store updates.
This is a known problem and I believe some solutions have been found for it.
You can find help on how to add the new (since 2015) LE root "ISRG Root X1" and also the workaround solution for OpenSSL throughout this site, and also somewhat summarized here: Production Chain Changes - #4 by jillian

If it hasn't been mentioned, nor occurred to you yet, you really should NOT be using such an outdated system connected to the Internet. Please upgrade it ASAP.


This thread says if you have ESM (extended security maintenance) there are updates to the trust store for Ubuntu 14 LTS.

As an aside, I ran across this just now. We generally complain about vendors not supporting their products long enough so I have to applaud their efforts.


Thank you, I appreciate the quick replies.

We decided on a workaround: moving the DNS to Cloudflare ... where the SSL resides on their network.

But yes, moving off the ancient server is definitely a priority. With: Uptime 2270 days(!) (seriously) .... am afraid to even reboot it!

1 Like

Moving just the DNS to Cloudflare does not change where SSL is terminated. Did you mean to say setup a CDN in Cloudflare? That would handle SSL to client and offers options between the CDN edge and your Ubuntu origin server.


:slight_smile: nice uptime.........
more than 6 years of running 24/7........
what about kernel updates ( AFAIK there is reboot required after each kernel update )?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.