Certbot Renewal Failure

My domain is: https:://mail.klouded.org & https://www.klouded.org

I ran this command: certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mail.klouded.org.conf


Failed to renew certificate mail.klouded.org with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))


Processing /etc/letsencrypt/renewal/www.klouded.org.conf


Failed to renew certificate www.klouded.org with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))


All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/mail.klouded.org/fullchain.pem (failure)
/etc/letsencrypt/live/www.klouded.org/fullchain.pem (failure)


2 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

nginx-mainline/1.21.6

The operating system my web server runs on is (include version):

artix using openrc

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.29.0

__

logfile after certbot renew:

2022-09-06 10:55:26,688:DEBUG:certbot._internal.main:certbot version: 1.29.0
2022-09-06 10:55:26,689:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-09-06 10:55:26,689:DEBUG:certbot._internal.main:Arguments: []
2022-09-06 10:55:26,689:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-09-06 10:55:26,707:DEBUG:certbot._internal.log:Root logging level set at 30
2022-09-06 10:55:26,708:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/mail.klouded.org.conf
2022-09-06 10:55:26,729:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f2948c43b80> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f2948c43b80>
2022-09-06 10:55:26,749:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-09-06 10:55:26,831:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-09-06 10:55:26,832:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/mail.klouded.org/cert1.pem is signed by the certificate's issuer.
2022-09-06 10:55:26,832:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/mail.klouded.org/cert1.pem is: OCSPCertStatus.GOOD
2022-09-06 10:55:26,835:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2022-09-18 05:38:34 UTC.
2022-09-06 10:55:26,836:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2022-09-06 10:55:26,836:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer None
2022-09-06 10:55:27,887:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f2948d4fa30>
Prep: True
2022-09-06 10:55:27,887:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f2948d4fa30> and installer None
2022-09-06 10:55:27,887:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer None
2022-09-06 10:55:27,897:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/497040490', new_authzr_uri=None, terms_of_service=None), 625a2b3a50411dbb97cbda50d8b11c92, Meta(creation_dt=datetime.datetime(2022, 4, 14, 14, 32, 16, tzinfo=<UTC>), creation_host='kerry-ms7721', register_to_eff=None))>
2022-09-06 10:55:27,898:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-09-06 10:55:27,899:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-09-06 10:55:28,048:ERROR:certbot._internal.renewal:Failed to renew certificate mail.klouded.org with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))
2022-09-06 10:55:28,051:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
    resp = conn.urlopen(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/certbot/_internal/renewal.py", line 484, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 1539, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 832, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/client.py", line 311, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/client.py", line 76, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 880, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 1242, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 1180, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 563, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))

2022-09-06 10:55:28,052:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/www.klouded.org.conf
2022-09-06 10:55:28,070:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-09-06 10:55:28,186:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-09-06 10:55:28,187:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/www.klouded.org/cert2.pem is signed by the certificate's issuer.
2022-09-06 10:55:28,188:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/www.klouded.org/cert2.pem is: OCSPCertStatus.GOOD
2022-09-06 10:55:28,189:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2022-09-17 03:02:33 UTC.
2022-09-06 10:55:28,189:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2022-09-06 10:55:28,189:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2022-09-06 10:55:29,209:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f2948adc940>
Prep: True
2022-09-06 10:55:29,209:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f2948adc940>
Prep: True
2022-09-06 10:55:29,210:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f2948adc940> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f2948adc940>
2022-09-06 10:55:29,210:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2022-09-06 10:55:29,219:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/497040490', new_authzr_uri=None, terms_of_service=None), 625a2b3a50411dbb97cbda50d8b11c92, Meta(creation_dt=datetime.datetime(2022, 4, 14, 14, 32, 16, tzinfo=<UTC>), creation_host='kerry-ms7721', register_to_eff=None))>
2022-09-06 10:55:29,220:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-09-06 10:55:29,221:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-09-06 10:55:29,377:ERROR:certbot._internal.renewal:Failed to renew certificate www.klouded.org with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))
2022-09-06 10:55:29,378:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
    resp = conn.urlopen(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/certbot/_internal/renewal.py", line 484, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 1539, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 832, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/client.py", line 311, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/client.py", line 76, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 880, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 1242, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 1180, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 563, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))

2022-09-06 10:55:29,380:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-09-06 10:55:29,381:ERROR:certbot._internal.renewal:All renewals failed. The following certificates could not be renewed:
2022-09-06 10:55:29,381:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/mail.klouded.org/fullchain.pem (failure)
  /etc/letsencrypt/live/www.klouded.org/fullchain.pem (failure)
2022-09-06 10:55:29,381:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-09-06 10:55:29,381:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.10/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 1630, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/renewal.py", line 510, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 2 renew failure(s), 0 parse failure(s)
2022-09-06 10:55:29,382:ERROR:certbot._internal.log:2 renew failure(s), 0 parse failure(s)

nginx.conf:

#user http;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    types_hash_max_size    4096;
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;


    server {
        listen 127.0.0.1;
        server_name localhost;
        access_log /var/log/nginx/localhost.access_log;
        error_log /var/log/nginx/localhost.error_log info;
        root /usr/share/nginx/html;
    }

    server {
        server_name   www.klouded.org;
        #access_log  logs/host.access.log  main;

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }


        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/www.klouded.org/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/www.klouded.org/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        ssl_trusted_certificate /etc/letsencrypt/live/www.klouded.org/chain.pem; # managed by Certbot
        ssl_stapling on; # managed by Certbot
        ssl_stapling_verify on; # managed by Certbot
    }


    server {
        if ($host = www.klouded.org) {
            return 301 https://$host$request_uri;
        } # managed by Certbot
        listen       80;
        server_name   www.klouded.org;
        return 404; # managed by Certbot
    }

include /etc/nginx/conf.d/*.conf;

}

/conf.d/mail.klouded.org.conf:

server {
      listen 80;
      listen [::]:80;
      server_name mail.klouded.org;

      root /usr/share/nginx/html/;

      location ~ /.well-known/acme-challenge {
         allow all;
      }
}

and I've tried for mail.klouded.org.conf:

server {
      listen 443;
      listen [::]:443;
      server_name mail.klouded.org;

      root /usr/share/nginx/html/;

      location ~ /.well-known/acme-challenge {
         allow all;
      }
}

How did you install Certbot? Using Artixs own package manager?

4 Likes

Yes: pacman -S certbot

Please show:
curl -Ii https://acme-v02.api.letsencrypt.org/directory

3 Likes

I think we're getting.somewhere!

curl -Ii https://acme-v02.api.letsencrypt.org/directory returns:

HTTP/2 200
server: nginx
date: Tue, 06 Sep 2022 19:21:11 GMT
content-type: application/json
content-length: 672
cache-control: public, max-age=0, no-cache
replay-nonce: 0101hqcmGWlNxrtAiT9DJ0u6YAaqklMLsPbP0IRjyfKW6bI
x-frame-options: DENY
strict-transport-security: max-age=604800

Certbot uses the Python library requests which uses the Python library certifi as root certificate store. Could you perhaps check your installed version of the certifi library on your OS for us?

4 Likes

It was not installed! So I installed python-certifi-2022.06.15-1, rebooted and tried again:

sudo certbot renew --dry-run
[sudo] password for kerry:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.klouded.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate mail.klouded.org with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.klouded.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate www.klouded.org with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All simulated renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/mail.klouded.org/fullchain.pem (failure)
  /etc/letsencrypt/live/www.klouded.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
klouded:[kerry]:~$ sudo cat /var/log/letsencrypt/letsencrypt.log
2022-09-06 15:57:47,017:DEBUG:certbot._internal.main:certbot version: 1.29.0
2022-09-06 15:57:47,018:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-09-06 15:57:47,018:DEBUG:certbot._internal.main:Arguments: ['--dry-run']
2022-09-06 15:57:47,018:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-09-06 15:57:47,044:DEBUG:certbot._internal.log:Root logging level set at 30
2022-09-06 15:57:47,045:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/mail.klouded.org.conf
2022-09-06 15:57:47,067:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7fb9ea5ffc10> and installer <certbot._internal.cli.cli_utils._Default object at 0x7fb9ea5ffc10>
2022-09-06 15:57:47,067:DEBUG:certbot._internal.cli:Var dry_run=True (set by user).
2022-09-06 15:57:47,067:DEBUG:certbot._internal.cli:Var server={'dry_run', 'staging'} (set by user).
2022-09-06 15:57:47,067:DEBUG:certbot._internal.cli:Var dry_run=True (set by user).
2022-09-06 15:57:47,067:DEBUG:certbot._internal.cli:Var server={'dry_run', 'staging'} (set by user).
2022-09-06 15:57:47,067:DEBUG:certbot._internal.cli:Var account={'server'} (set by user).
2022-09-06 15:57:47,090:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-09-06 15:57:47,180:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-09-06 15:57:47,182:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/mail.klouded.org/cert1.pem is signed by the certificate's issuer.
2022-09-06 15:57:47,183:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/mail.klouded.org/cert1.pem is: OCSPCertStatus.GOOD
2022-09-06 15:57:47,190:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2022-09-18 05:38:34 UTC.
2022-09-06 15:57:47,190:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2022-09-06 15:57:47,190:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer None
2022-09-06 15:57:48,228:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fb9ea73b7c0>
Prep: True
2022-09-06 15:57:48,228:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fb9ea73b7c0> and installer None
2022-09-06 15:57:48,228:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer None
2022-09-06 15:57:48,398:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2022-09-06 15:57:48,402:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2022-09-06 15:57:48,563:ERROR:certbot._internal.renewal:Failed to renew certificate mail.klouded.org with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))
2022-09-06 15:57:48,567:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
    resp = conn.urlopen(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/certbot/_internal/renewal.py", line 484, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 1539, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 827, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 735, in _determine_account
    acc, acme = client.register(
  File "/usr/lib/python3.10/site-packages/certbot/_internal/client.py", line 216, in register
    acme = acme_from_config_key(config, key)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/client.py", line 76, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 880, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 1242, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 1180, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 563, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))

2022-09-06 15:57:48,569:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/www.klouded.org.conf
2022-09-06 15:57:48,571:DEBUG:certbot._internal.cli:Var dry_run=True (set by user).
2022-09-06 15:57:48,571:DEBUG:certbot._internal.cli:Var server={'dry_run', 'staging'} (set by user).
2022-09-06 15:57:48,571:DEBUG:certbot._internal.cli:Var dry_run=True (set by user).
2022-09-06 15:57:48,571:DEBUG:certbot._internal.cli:Var server={'dry_run', 'staging'} (set by user).
2022-09-06 15:57:48,571:DEBUG:certbot._internal.cli:Var account={'server'} (set by user).
2022-09-06 15:57:48,593:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-09-06 15:57:48,727:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-09-06 15:57:48,728:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/www.klouded.org/cert2.pem is signed by the certificate's issuer.
2022-09-06 15:57:48,729:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/www.klouded.org/cert2.pem is: OCSPCertStatus.GOOD
2022-09-06 15:57:48,730:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2022-09-17 03:02:33 UTC.
2022-09-06 15:57:48,730:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2022-09-06 15:57:48,730:DEBUG:certbot._internal.plugins.selection:Requested authenticator nginx and installer nginx
2022-09-06 15:57:49,738:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fb9ea55d090>
Prep: True
2022-09-06 15:57:49,738:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fb9ea55d090>
Prep: True
2022-09-06 15:57:49,738:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fb9ea55d090> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7fb9ea55d090>
2022-09-06 15:57:49,738:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2022-09-06 15:57:49,815:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2022-09-06 15:57:49,816:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
2022-09-06 15:57:49,973:ERROR:certbot._internal.renewal:Failed to renew certificate www.klouded.org with error: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))
2022-09-06 15:57:49,974:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/usr/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
    resp = conn.urlopen(
  File "/usr/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.10/site-packages/certbot/_internal/renewal.py", line 484, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 1539, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 827, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 735, in _determine_account
    acc, acme = client.register(
  File "/usr/lib/python3.10/site-packages/certbot/_internal/client.py", line 216, in register
    acme = acme_from_config_key(config, key)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/client.py", line 76, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 880, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 1242, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3.10/site-packages/acme/client.py", line 1180, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.10/site-packages/requests/adapters.py", line 563, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:997)')))

2022-09-06 15:57:49,975:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-09-06 15:57:49,976:ERROR:certbot._internal.renewal:All simulated renewals failed. The following certificates could not be renewed:
2022-09-06 15:57:49,976:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/mail.klouded.org/fullchain.pem (failure)
  /etc/letsencrypt/live/www.klouded.org/fullchain.pem (failure)
2022-09-06 15:57:49,976:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-09-06 15:57:49,976:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.10/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 1744, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/main.py", line 1630, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3.10/site-packages/certbot/_internal/renewal.py", line 510, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 2 renew failure(s), 0 parse failure(s)
2022-09-06 15:57:49,977:ERROR:certbot._internal.log:2 renew failure(s), 0 parse failure(s)

Huh, weird, requests should have depended on that library. Which version of requests is installed?

3 Likes

sudo pacman -S python-requests
warning: python-requests-2.28.1-1 is up to date -- reinstalling
resolving dependencies...
looking for conflicting packages...

Packages (1) python-requests-2.28.1-1

Total Installed Size: 0.45 MiB
Net Upgrade Size: 0.00 MiB

:: Proceed with installation? [Y/n] n
klouded:[kerry]:~$

Hm, that's up to date.

I assumed requests would use certifi, but apparently it didn't, but it should. Maybe your requests uses the distribution root store? I dunno, very weird.

3 Likes

Solved!!!

Thank you to Osiris and rg305 for your help! I've been trying to fix this for over a month. While we didn't solve the problem directly, your help was invaluable. You let me know that certbot was probably installed correctly. What I did was force uninstalled (pacman -Sdd) ca-certificates, ca-certificates-mozilla, ca-certificates and probably some unnecessary programs. Then I deleted the entire /etc/ca-certificates directory, rebooted (couldn't hurt), reinstalled everything and voila, it all worked.

I think some heavy duty docker installs (that have long since been uninstall and/or deleted) messed things up but I'm not sure. Bare metal all the way, baby!

Thank you again - I am so freakin' happy right now!

3 Likes

Hm, glad you've got it fixed, although I don't really understand how :stuck_out_tongue:

4 Likes

It's step #2 in the 99% fixer guide:
Step #1 reboot [fixes 90% of problems]
Step #2 reformat [fixes 90% of (remaining) problems]
LOL

2 Likes

That's just in the case of Windows :wink:

3 Likes