Certbot renew failed

The certificate expires, the command certbot renew will fail
The following message appears
Ask for help, very grateful

certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/mail.shinymark.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Attempting to renew cert (mail.shinymark.com) from /etc/letsencrypt/renewal/mail.shinymark.com.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1045)'))). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.shinymark.com/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.shinymark.com/fullchain.pem (failure)

==================================================================

curl -v https://acme-v02.api.letsencrypt.org/directory

• Trying 172.65.32.248...
• TCP_NODELAY set
• Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (OUT), TLS alert, unknown CA (560):
• SSL certificate problem: unable to get local issuer certificate
• Closing connection 0
  curl: (60) SSL certificate problem: unable to get local issuer certificate
  More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Hi @clicedean and welcome to the LE community forum

It seems that your server's ca-certificates may be in need of an update.
OR
certbot itself may also need to be updated.

My operating system is Fedora 29, these two packages are already up to date
ca-certificates-2018.2.26-2.fc29.noarch
certbot-0.39.0-1.fc29.noarch

Can you elaborate more?
thank you very much.

# curl -vk https://acme-v02.api.letsencrypt.org/directory

• Trying 172.65.32.248...
• TCP_NODELAY set
• Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, [no content] (0):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use h2
• Server certificate:
• subject: CN=acme-v02.api.letsencrypt.org
• start date: Nov 29 06:20:11 2021 GMT
• expire date: Feb 27 06:20:10 2022 GMT
• issuer: C=US; O=Let's Encrypt; CN=R3
• SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• TLSv1.3 (OUT), TLS app data, [no content] (0):
• TLSv1.3 (OUT), TLS app data, [no content] (0):
• TLSv1.3 (OUT), TLS app data, [no content] (0):
• Using Stream ID: 1 (easy handle 0x55f5ea6a3720)
• TLSv1.3 (OUT), TLS app data, [no content] (0):

GET /directory HTTP/2
Host: acme-v02.api.letsencrypt.org
User-Agent: curl/7.61.1
Accept: /

• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS handshake, [no content] (0):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS app data, [no content] (0):
• Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
• TLSv1.3 (OUT), TLS app data, [no content] (0):
• TLSv1.3 (IN), TLS app data, [no content] (0):
  < HTTP/2 200
  < server: nginx
  < date: Wed, 15 Dec 2021 07:56:11 GMT
  < content-type: application/json
  < content-length: 658
  < cache-control: public, max-age=0, no-cache
  < x-frame-options: DENY
  < strict-transport-security: max-age=604800
  <
  {
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
  "caaIdentities": [
  "letsencrypt.org"
  ],
  "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
  "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "oD2e6DdItBk": "Adding random entries to the directory",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
• Connection #0 to host acme-v02.api.letsencrypt.org left intact
  }[root@mail31 certs]#

Please show:

grep -E 'ISRG|DST|jh5Xos1AnX5iItreGCc|AKX1H7GNNLOEADksd86wuoXvg|SYKEBpsr6GtPAQw4dy753ec5' \
/etc/pki/tls/certs/ca-bundle.crt

At most, it should return only:

/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPpqojlNcAZQmNaAl6k
# ISRG Root X1
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=

I executed the following command and ran out the following result. Is this correct?

# grep -E'ISRG|DST|jh5Xos1AnX5iItreGCc|AKX1H7GNNLOEADksd86wuoXvg|SYKEBpsr6GtPAQw4dy753ec5' \
> /etc/pki/tls/certs/ca-bundle.crt

        Issuer: C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6
        Subject: C=US, O=Digital Signature Trust, OU=DST ACES, CN=DST ACES CA X6
        Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
        Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
        Issuer: C=US, O=Digital Signature Trust Co., OU=DSTCA E1
        Subject: C=US, O=Digital Signature Trust Co., OU=DSTCA E1
                  DirName: C = US, O = Digital Signature Trust Co., OU = DSTCA E1, CN = CRL1
        Issuer: C=US, O=Digital Signature Trust Co., OU=DSTCA E2
        Subject: C=US, O=Digital Signature Trust Co., OU=DSTCA E2
                  DirName: C = US, O = Digital Signature Trust Co., OU = DSTCA E2, CN = CRL1
/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPpqojlNcAZQmNaAl6k

Where is the "ISRG Root X1" cert?

That seems to be the problem.
This entry is missing:

# ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

So what should I do now?
Please teach me a bit, thank you.

It seems this is "difective" OR has been altered (to omit "ISRG Root X1" cert):

I'd get the cert directly from LE (trust no one - not even me - LOL).
You can get it on this page:
Chain of Trust - Let's Encrypt (letsencrypt.org)
at this link (therein):
https://letsencrypt.org/certs/letsencryptauthorityx1.pem

Then I would add it to the file:
/etc/pki/tls/certs/ca-bundle.crt

OR
Search for other "simpler solutions" to this problem on the web or on a Fedora forum.

That output does not look normal. The ca-bundle.crt file is usually just .pem encoded certs with a one line comment with its name before each one.

Have you done sudo update-ca-trust ? Can you and what does it show?

Also, try this:

trust list | grep -Ei 'ISRG Root|DST Root|AAA'

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.