My Problem is that i'am not able to run the Certbot correctly. When I start it with "certbot" or "certbot --nginx" it asks for my Email Address. After that the bot crashes with the following error Message:
An unexpected error occured:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get locale issuer certificate (_ssl.c:1131)')))
I have to mention that my Server is behind a Proxy. But the Proxy is correctly defined via the environment variables http_proxy, https_proxy, HTTP_PROXY, HTTPS_PROXY.
Thanks that sounds promising. Is there any way to tell Certbot to trust my CA? The Proxy Certificate is already set up in the OS. Other Programs (like curl or apt) use it and it works. But for some reason the Certbot does not.
Huh, well, Certbot is using requests, which is using urllib3.
It looks like using the OS trusted certificate database has been the default behavior in Python for a while.
@_az, do you have any ideas why different Certbot installation methods would now be showing different behavior with regard to the certificate stores they use when connecting as a client to an ACME API endpoint?
This might be a wrong explanation but here goes ...
What it looks like to me is that Debian patch some Python packages to read CA certificates from /etc/ssl/certs/ca-certificates.crt (emphasis mine):
Description-en: root certificates for validating SSL certs and verifying TLS hosts (python3)
Certifi is a carefully curated collection of Root Certificates for
validating the trustworthiness of SSL certificates while verifying
the identity of TLS hosts. It has been extracted from the Requests
. The version of certifi in this Debian package is patched to return
the location of Debian-provided CA certificates, instead of those
packaged by upstream.
If you install certifi from pip directly, you do not benefit from this patch, and the trust store bundled with certifi ends up being the one used. (I don't know really how this squares with what PEP 476 appears to suggest).
With the snap, Certbot was built by sourcing packages directly from pip rather than from the Debian-provided package. As such, it uses certifi's trust store: