Certbot fails with SSLError

Jikan · March 28, 2021, 8:08pm

Hello everyone.

I was setting up certificates for several domains and all went fine when Certbot suddenly started to throw this weird error:

An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

acme-v02.api.letsencrypt.org redirects to proteus.info.at which is... a Parallels login portal?

ping acme-v02.api.letsencrypt.org
PING acme-v02.api.letsencrypt.org.eu (78.46.90.98) 56(84) bytes of data.
64 bytes from proteus.info.at (78.46.90.98): icmp_seq=1 ttl=52 time=16.9 ms

Then I ran curl:

curl -v https://acme-v02.api.letsencrypt.org/directory
 Trying 78.46.90.98...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55cdc9c2ab70)
* Connected to acme-v02.api.letsencrypt.org (78.46.90.98) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

And here I am

Everything is working fine on another server I own (I successfully issued certificates) and of course the ping result is different:

ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com

I wonder if the problem could be on my side and, if not, if there's any way to tell certbot to use a given ACME server?

I'm running certbot 1.13.0 on Debian 10.

Thanks!

Osiris · March 28, 2021, 8:22pm

That's a very weird IP address! If I connect to that IP address with the hostname for the API, I'm getting a certificate for proteus.info.at too?

It's not a redirect I think, I think it's an issue with your DNS. Perhaps you've got the hostname hardcoded in /etc/hosts?

Edit:
Aaah, wait a minute... Where does that .eu come from in your ping command? That's not the TLD for Let's Encrypt? Should be .org.

Jikan · March 28, 2021, 8:32pm

Well, I don't know where it comes from, I assume it's automatically redirected at some level?

The curl command connects to the .org, same IP...

Hmm. I'm lost. No hardcoded stuff in my hosts and I tried using other DNS...

Osiris · March 28, 2021, 8:38pm

What does dig +trace acme-v02.api.letsencrypt.org say?

And nslookup acme-v02.api.letsencrypt.org and/or host acme-v02.api.letsencrypt.org?

schoen · March 30, 2021, 5:13am

Maybe in a search directive in your /etc/resolv.conf or /etc/resolvconf? Like search eu for some reason?

A DHCP server can automatically add such directives to your DNS resolver configuration when giving you your IP address...

system · April 29, 2021, 5:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.