Certbot fails with SSLError

Hello everyone.

I was setting up certificates for several domains and all went fine when Certbot suddenly started to throw this weird error:

An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

acme-v02.api.letsencrypt.org redirects to proteus.info.at which is... a Parallels login portal?

ping acme-v02.api.letsencrypt.org
PING acme-v02.api.letsencrypt.org.eu ( 56(84) bytes of data.
64 bytes from proteus.info.at ( icmp_seq=1 ttl=52 time=16.9 ms

Then I ran curl:

curl -v https://acme-v02.api.letsencrypt.org/directory
* Expire in 200 ms for 4 (transfer 0x55cdc9c2ab70)
* Connected to acme-v02.api.letsencrypt.org ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

And here I am :sweat_smile:

Everything is working fine on another server I own (I successfully issued certificates) and of course the ping result is different:


I wonder if the problem could be on my side and, if not, if there's any way to tell certbot to use a given ACME server?

I'm running certbot 1.13.0 on Debian 10.


That's a very weird IP address! If I connect to that IP address with the hostname for the API, I'm getting a certificate for proteus.info.at too?

It's not a redirect I think, I think it's an issue with your DNS. Perhaps you've got the hostname hardcoded in /etc/hosts?

Aaah, wait a minute... Where does that .eu come from in your ping command? That's not the TLD for Let's Encrypt? Should be .org.

Well, I don't know where it comes from, I assume it's automatically redirected at some level?

The curl command connects to the .org, same IP...

Hmm. I'm lost. No hardcoded stuff in my hosts and I tried using other DNS...

What does dig +trace acme-v02.api.letsencrypt.org say?

And nslookup acme-v02.api.letsencrypt.org and/or host acme-v02.api.letsencrypt.org?

1 Like

Maybe in a search directive in your /etc/resolv.conf or /etc/resolvconf? Like search eu for some reason?

A DHCP server can automatically add such directives to your DNS resolver configuration when giving you your IP address...

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.