It wasn’t just the format: chunks of output were missing! Let’s try again.
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/certbot/renewal.py", line 429, in ha
ndle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 1154, in rene
w_cert
le_client = _init_le_client(config, auth, installer)
File "/usr/local/lib/python2.7/site-packages/certbot/main.py", line 649, in _init
_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/local/lib/python2.7/site-packages/certbot/client.py", line 239, in __i
nit__
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/local/lib/python2.7/site-packages/certbot/client.py", line 50, in acme
_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 721, in __init
__
directory = messages.Directory.from_json(net.get(server).json())
File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1054, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1003, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 512, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 622, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 445, in send
timeout=timeout
File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 600, in urlopen
chunked=chunked)
File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 343, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 849, in _validate_conn
conn.connect()
File "/usr/local/lib/python2.7/site-packages/urllib3/connection.py", line 367, in connect
cert = self.sock.getpeercert()
File "/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 351, in getpeercert
'subjectAltName': get_subj_alt_name(x509)
File "/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 202, in get_subj_alt_name
ext = cert.extensions.get_extension_for_class(
File "/usr/local/lib/python2.7/site-packages/cryptography/utils.py", line 159, in inner
result = func(instance)
File "/usr/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/x509.py", line 134, in extensions
self._backend, self._x509
File "/usr/local/lib/python2.7/site-packages/cryptography/hazmat/backends/openssl/decode_asn1.py", line 235, in parse
"parsed".format(oid)
ValueError: The <ObjectIdentifier(oid=1.3.6.1.4.1.11129.2.4.2, name=Unknown OID)> extension is invalid and can't be parsed
# pkg info py27-cryptography
py27-cryptography-2.1.4
Name : py27-cryptography
Version : 2.1.4
Installed on : Sun May 13 21:22:51 2018 BST
# pkg info py27-openssl
py27-openssl-17.5.0_1
Name : py27-openssl
Version : 17.5.0_1
Installed on : Mon Jan 29 11:56:24 2018 GMT
# openssl version
OpenSSL 1.0.2k-freebsd 26 Jan 2017
Now that looks rather old, so the guess might be right!
In fact, I wonder whether there are two types of openSSL on the system and it’s upgrading one but using the other?
# openssl x509 -noout -text -in /usr/local/etc/letsencrypt/archive/www.diversediversity.org.uk/fullchain5.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:6d:b2:3a:42:04:8a:77:f2:70:a8:f2:e7:07:f1:45:29:f7
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Mar 31 23:33:20 2018 GMT
Not After : Jun 29 23:33:20 2018 GMT
Subject: CN=www.diversediversity.org.uk
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ba:ad:84:a0:49:97:5d:e1:49:e9:02:aa:69:c3:
f4:31:6f:39:ed:25:00:65:91:87:c3:b9:4e:e2:b0:
04:eb:25:59:f2:ef:80:d8:26:9e:4e:4a:84:05:6d:
dd:79:1b:82:b5:1b:99:f5:2a:dd:18:7a:4d:aa:bf:
d8:5f:17:bc:1f:f4:43:3b:5d:93:a0:5e:b2:4f:bc:
2a:30:39:c1:40:2d:96:bf:ea:4c:56:98:99:92:5d:
e1:38:09:07:44:93:eb:85:dd:8a:6b:f9:69:c7:60:
29:a8:5b:5a:e6:de:ad:d8:95:79:7c:e5:91:ef:c6:
eb:d8:17:9b:bd:87:00:95:e0:7b:82:46:40:bd:11:
03:99:69:43:10:22:f1:a5:73:2f:ac:1b:0a:f9:92:
a9:b9:e3:3c:0f:4a:4b:0e:b6:7a:f7:49:f8:ef:96:
b1:9b:f1:da:5d:ae:55:74:f5:a2:13:24:61:80:17:
23:37:8b:64:a2:32:83:8c:56:92:cd:4f:88:8e:ce:
b1:3f:b4:7b:12:32:05:d8:ec:a0:9b:db:0d:01:72:
8d:c8:c4:41:3a:25:9f:fb:59:a7:3d:cd:39:88:e3:
07:a1:45:e7:cb:64:b2:14:69:ff:00:4f:37:70:b4:
2e:12:49:9b:dd:d1:7a:dc:b3:81:1d:ff:45:37:f1:
07:31
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
B4:02:5C:0A:77:53:12:32:FE:6B:DF:25:C6:9F:64:22:7D:9D:A1:23
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:diversediversity.org.uk, DNS:diversity.kjpetrie.co.uk, DNS:www.diversediversity.org.uk, DNS:www.kjpetrie.co.uk
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : DB:74:AF:EE:CB:29:EC:B1:FE:CA:3E:71:6D:2C:E5:B9:
AA:BB:36:F7:84:71:83:C7:5D:9D:4F:37:B6:1F:BF:64
Timestamp : Apr 1 00:33:20.335 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:DF:39:7A:1E:B6:5A:22:A4:5C:DA:55:
08:72:84:8A:5F:45:8D:26:3D:3F:C9:61:C6:8A:75:2F:
4D:89:EA:0D:8A:02:21:00:CB:C5:49:AE:7E:9B:8D:04:
7B:9E:BF:02:DC:80:2F:2C:E2:E2:04:5F:9E:B5:E2:1F:
5B:8B:3B:F5:38:11:39:69
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
Timestamp : Apr 1 00:33:20.355 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:A1:D5:48:68:EB:6E:2A:65:E4:E9:23:
29:52:88:AD:82:A8:CC:25:67:7A:7C:5D:CA:C5:27:7C:
DD:9B:E7:87:50:02:20:18:73:E5:FF:E6:EE:32:B8:34:
3C:75:8D:29:FB:01:23:57:10:83:E7:86:E7:06:39:17:
85:E9:64:95:36:2B:6E
Signature Algorithm: sha256WithRSAEncryption
66:1a:72:a1:7c:ec:80:44:fb:94:b8:ea:66:d9:0e:5a:08:d9:
70:de:8d:f9:0b:1f:b6:50:6e:cd:62:34:07:ed:0c:ae:b1:3f:
ab:d6:ec:3f:a9:8d:cf:29:d9:fd:a7:71:88:25:97:87:e7:ab:
9f:45:e3:c5:ca:56:79:e3:ce:11:23:0a:c0:28:d6:fa:ae:1b:
7c:e6:61:9f:28:71:cd:61:b5:1d:4f:20:1f:d9:ff:01:45:33:
09:59:8b:fa:13:e5:62:5b:65:f9:9d:2a:56:33:e6:af:7d:19:
d4:e6:bb:ac:8a:1a:00:2b:e7:4b:15:58:e0:ad:a2:92:83:4a:
9f:ce:d9:fe:7b:0f:a7:4c:9b:df:40:54:91:cb:e8:ce:82:ab:
c1:19:80:6e:1d:77:91:c1:32:a4:3c:83:e3:c5:41:8c:35:1d:
36:e0:6b:c0:c9:88:06:17:9e:38:61:1a:67:98:d5:46:15:33:
ca:36:a1:3f:52:f0:b1:aa:de:75:75:75:42:df:a7:29:c5:d5:
36:e6:eb:c1:5e:37:19:92:23:b2:18:10:91:1a:c2:cf:3d:dd:
93:c5:83:23:b3:cc:5a:68:ab:84:0a:cb:ef:2a:5f:79:9e:41:
50:77:ec:83:f3:62:7c:bc:05:69:ed:04:04:4f:dc:e8:75:e5:
49:73:e6:12
Certbot was installed from a locally-built (using poudriere) package compiled from a FreeBSD port.
The command was:
# !certbot
certbot renew --dry-run