Certbot centos 7 fails with python errors

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mserv.top

I ran this command: /bin/certbot certonly --agree-tos --email magnusll@mserv.top --rsa-key-size=4096 -n --webroot -w /opt/rh/httpd24/root/var/www/html/www -d mserv.top

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
SSLError: [X509] PEM lib (_ssl.c:2825)
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): N/A

The operating system my web server runs on is (include version): CentOS 7.7.1908

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.38.0

I removed /etc/letsencrypt all together but the command still fails… The log file /var/log/letsencrypt/letsencrypt.log shows the following
2019-10-12 17:56:31,414:DEBUG:certbot.main:certbot version: 0.38.0
2019-10-12 17:56:31,414:DEBUG:certbot.main:Arguments: [’–agree-tos’, ‘–email’, ‘x@mserv.top’, ‘–rsa-key-size=4096’, ‘-n’, ‘–webroot’, ‘-w’, ‘/opt/rh/httpd24/root/var/www/html/www’, ‘-d’, ‘mserv.top’]
2019-10-12 17:56:31,415:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-10-12 17:56:31,445:DEBUG:certbot.log:Root logging level set at 20
2019-10-12 17:56:31,445:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-10-12 17:56:31,446:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2019-10-12 17:56:31,448:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f8bc1410390>
Prep: True
2019-10-12 17:56:31,449:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f8bc1410390> and installer None
2019-10-12 17:56:31,449:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2019-10-12 17:56:32,020:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2019-10-12 17:56:32,023:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2019-10-12 17:56:32,868:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.38.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1378, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 1249, in certonly
le_client = _init_le_client(config, auth, installer)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 607, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 523, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 176, in register
acme = acme_from_config_key(config, key)
File “/usr/lib/python2.7/site-packages/certbot/client.py”, line 46, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 828, in init
directory = messages.Directory.from_json(net.get(server).json())
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 1161, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 1110, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 477, in request
resp = self.send(prep, **send_kwargs)
File “/usr/lib/python2.7/site-packages/requests/sessions.py”, line 589, in send
r = adapter.send(request, **kwargs)
File “/usr/lib/python2.7/site-packages/requests/adapters.py”, line 431, in send
raise SSLError(e, request=request)
SSLError: [X509] PEM lib (_ssl.c:2825)
2019-10-12 17:56:32,869:ERROR:certbot.log:An unexpected error occurred:


If you installed Certbot from EPEL (as per the instructions for CentOS 7), Certbot should be installed as /usr/bin/certbot .

Is it possible you tried to install it via pip or git at some point?

Ah, /bin/certbot is a sym link to /usr/bin/certbot-2 - same as /usr/bin/certbot
/usr/bin/certbot -> /usr/bin/certbot-2
/bin/certbot -> /usr/bin/certbot-2

So it’s the same binary for both and part of python2-certbot-0.38.0-1.el7.noarch
$ rpm -qf /usr/bin/certbot-2

$ yum list | grep certbot
certbot.noarch 0.38.0-1.el7 @epel
python2-certbot.noarch 0.38.0-1.el7 @epel

You’re right, EPEL does install that /bin/certbot symlink. I should have used which -a :frowning: .

There’s some suggestion that the “PEM lib” error is actually a certificate verification error.

I wonder if re-installing those specific packages would help?

yum reinstall ca-certificates python-urllib3 python-requests pyOpenSSL

Additionally, does a curl and wget to https://acme-v02.api.letsencrypt.org/directory from that machine succeed?

Reinstalling worked! Thanks a lot