Certbot Fails? SSL routines fail?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

papaya.moe

I ran this command:

certbot --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): g@gmail.com
From cffi callback <function _verify_callback at 0x757cc540>:
Traceback (most recent call last):
File “/usr/local/lib/python3.5/dist-packages/OpenSSL/SSL.py”, line 309, in wrapper
_lib.X509_up_ref(x509)
AttributeError: module ‘lib’ has no attribute ‘X509_up_ref’
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 417, in wrap_socket
cnx.do_handshake()
File “/usr/local/lib/python3.5/dist-packages/OpenSSL/SSL.py”, line 1915, in do_handshake
self._raise_ssl_error(self._ssl, result)
File “/usr/local/lib/python3.5/dist-packages/OpenSSL/SSL.py”, line 1647, in _raise_ssl_error
_raise_current_error()
File “/usr/local/lib/python3.5/dist-packages/OpenSSL/_util.py”, line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 594, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 350, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 837, in validate_conn
conn.connect()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 323, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl
.py", line 324, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 424, in wrap_socket
raise ssl.SSLError(‘bad handshake: %r’ % e)
ssl.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 423, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 624, in urlopen
raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,)

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘tls_process_server_certificate’, ‘certificate verify failed’)],)”,)
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):

nginx

The operating system my web server runs on is (include version):
Raspbian

My hosting provider, if applicable, is:

Self hosted

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes I can login with the root account.

I’m using a control panel to manage my site (no, or provide the name and version of
the control panel):

No I am logged directly into the machine

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0

1 Like

According to a GitHub issue, that error happens when you have an old version of the Python cryptography library and a new version of pyOpenSSL.

it looks like you have a custom installation of pyOpenSSL. Do you know why? Would it be okay to remove it and rely on the OS package instead? That’s probably older but also probably compatible with everything else installed.

2 Likes

I will try to uninstall it and use a default version I didn’t realise I was using a custom version I will post back with results.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.