Certbot 0.31.0 renew failed, peer's certificate issuer not recognized

I'm trying to renew certs for the domain below. The usual way of certbot renew is failing with bad handshake error. Please see details below. Please advise how should I resolve this.

My domain is: https://staging.scanning.questionmark.eu

I ran this command:

certbot renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/staging.scanning.questionmark.eu.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (staging.scanning.questionmark.eu) from /etc/letsencrypt/renewal/staging.scanning.questionmark.eu.conf produced an unexpected error: [Errno bad handshake] [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/staging.scanning.questionmark.eu/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/staging.scanning.questionmark.eu/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

I checked whether it's possible to curl from my server to letsencrypt.
I ran this command:

curl https://acme-v02.api.letsencrypt.org/

It produced this output:

curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

My web server is (include version):

nginx version: nginx/1.12.2

The operating system my web server runs on is (include version):

NAME="CentOS Linux"
VERSION="7 (Core)"

My hosting provider, if applicable, is: digitalocean.com

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.31.0

Hi @raiyankamal welcome to the LE community forum

What version of OpenSSL are you using?
When last was ca-certificates updated?
Why can't you use a newer version of certbot (or another newer ACME client)?

Thanks for responding @rg305, specially on a Sunday. Please see my answers below.

OpenSSL version.

> openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

I don't know when the ca-certificates updated last time. As far as I can tell, we updated SSL certs using certbot on Aug 01, 2021.

I have tried to update certbot, but yum keeps saying "No packages marked for update". This is probably a different issue. I have tried getssl, but got the same error 60 again. Copying first few lines here:

getssl: ERROR curl "https://acme-v02.api.letsencrypt.org" failed with 60 and returned:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (60) Peer's Certificate issuer is not recognized.

At this point I'm doubting whether the problem lies in our ACME client at all.

Please see:

Thanks again @rg305 , that was the pointer I needed.

For others still struggling, here is how I was able to finally update my certs on my servers.

• Add the new root certs and intermediate cert. (Links to certs from letsencrypt, in PEM format):

  • ISRG Root X1
  • ISRG Root X2
  • Let’s Encrypt R3

• Update openssl to a suitable version, I took 1.1.1l

At this point I was able to update certs on an Ubuntu 16 box using the certbot 0.31.0

Unfortunately that didn't work for my CentOS7 server. On that I updated to certbot-1.11.0 besides the steps mentioned above. Still I got the same error as above when I ran certbot renew. At that point curl could run without issues. So I decided to let go of certbot and use getssl instead. Worked fine.

I still don't know why certbot worked in Ubuntu without updates and on CentOS7 it didn't work despite updating. If anyone can shed some light on this, I'll be grateful.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.