Certbot Fails To Retrieve EC Certificate With Error Code 1

Hello. I recently tried to enable ECDSA ciphers for my server and I proceeded to start the process of getting an EC key for my server. I went to install the certificate following a guide (https://jetmirshatri.com/dual-rsa-and-ecdsa-certificates-for-nginx-on-ubuntu-16-04/) and I adapted it for use in Apache. I followed all the instructions and managed to generate a private key and certificate signing request successfully, but when I go to submit the csr via certbot-auto, it fails with error code 1. It then tells me to upgrade Python PIP. I have already upgraded Python PIP to the latest version (8.1.2) and it still throws that error. Please help.

My domain is: spotlightsrule.gleeze.com

I ran these commands and they completed successfully (i have masked sensitive details):
openssl ecparam -genkey -name secp384r1 > "/etc/letsencrypt/live-ecdsa/spotlightsrule.gleeze.com/privkey-ecdsa.pem"
cd /etc/letsencrypt/live-ecdsa/spotlightsrule.gleeze.com/
sudo openssl req -new -sha256 -key privkey-ecdsa.pem -nodes -out request.csr -outform pem
-US
-*******
-*** ******
-*********
-*********
-spotlightsrule.gleeze.com
-*********@.com
cd ~

I ran this command to get the certificate (sensitive info masked):
./certbot-auto certonly -w /var/www/html/ -d spotlightsrule.gleeze.com --email “*********@.com” --csr “/etc/letsencrypt/live-ecdsa/spotlightsrule/request.csr” --agree-tos
I then got this output (its quite big so I had to host it elsewhere):
https://spotlightsrule.gleeze.com/diagnostics/output/output.txt

My operating system is: Ubuntu 16.10

My web server is: Apache 2.4.23 with OpenSSL 1.1.0b

I use an SSH and SFTP client to login to my server and I have access to root.

How did you wind up with OpenSSL 1.1.0b in /usr/include/openssl? Ubuntu 16.10 ships with 1.0.2g, i believe.

From past posts, the Python cryptography module (or at least the version used by certbot) may not be compatible with OpenSSL 1.1. You may be better off with 1.0.2:

I compiled OpenSSL 1.1.0b from the sources by following this guide:

The only reason I wanted OpenSSL 1.1.0 was for ChaCha20 Poly1305, but I guess I’ll try the Cloudflare patch on 1.0.2g then. Thanks for the help

Upgrading an essential library like OpenSSL to a new major version system-wide is very dangerous, IMO. It’s one thing to install it in /opt and compile a couple tools like Nginx or curl against it. The whole system? Risky.

Putting things in /usr is also a little tricky to undo and will probably get weird next time Ubuntu releases a new minor update to their OpenSSL package.

Ok. I downgraded successfully to OpenSSL 1.0.2g by purging the libraries with apt-get, but I still get the same error about Python PIP. I did upgrade python and I am using the latest version of Python PIP.
The error log is here: https://spotlightsrule.gleeze.com/diagnostics/output/l0g.txt

It appears that OpenSSL 1.1’s header files still exist in /usr/include/openssl.

Edit: Doing things with the openssl package would likely have ignored them, since they’re a part of openssl-dev.

I finally got my EC key successfully. I just had to reinstall. Thanks for the help :grinning:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.