Certbot renewal [SSL: CERTIFICATE_VERIFY_FAILED]

systemn17088 · July 31, 2018, 11:15am

Hi all, I forget renew certificate since automazing in crontab

15 3 * * * /usr/bin/certbot renew --quiet

and date expired , how can update certificate or install new ( i was delete next.example.com certificate, update openssl, update certbot and try

certbot --nginx -d next.exapmle.com

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 252, in connect
    ssl_version=resolved_ssl_version)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 305, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
    _context=self)
  File "/usr/lib/python3.5/ssl.py", line 752, in __init__
    self.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 589, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
Please see the logfiles in /var/log/letsencrypt for more details.

 $ sudo certbot renew --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/youtrack.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Attempting to renew cert (youtrack.example.com) from /etc/letsencrypt/renewal/youtrack.example.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Processing /etc/letsencrypt/renewal/gitlab.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Attempting to renew cert (gitlab.example.com) from /etc/letsencrypt/renewal/gitlab.example.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Processing /etc/letsencrypt/renewal/office.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Attempting to renew cert (office.example.com) from /etc/letsencrypt/renewal/office.example.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/youtrack.example.com/fullchain.pem (failure)
  /etc/letsencrypt/live/gitlab.example.com/fullchain.pem (failure)
  /etc/letsencrypt/live/office.example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/youtrack.example.com/fullchain.pem (failure)
  /etc/letsencrypt/live/gitlab.example.com/fullchain.pem (failure)
  /etc/letsencrypt/live/office.example.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
3 renew failure(s), 0 parse failure(s)

 $ certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: youtrack.example.com
    Domains: youtrack.example.com
    Expiry Date: 2018-07-27 12:36:32+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/youtrack.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/youtrack.example.com/privkey.pem
  Certificate Name: gitlab.example.com
    Domains: gitlab.example.com
    Expiry Date: 2018-07-25 08:20:31+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/gitlab.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gitlab.example.com/privkey.pem
  Certificate Name: office.example.com
    Domains: office.example.com
    Expiry Date: 2018-08-01 11:50:33+00:00 (VALID: 1 day)
    Certificate Path: /etc/letsencrypt/live/office.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/office.example.com/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 $ openssl version
OpenSSL 1.1.0h  27 Mar 2018

 $ certbot --version
certbot 0.26.1

_az · July 31, 2018, 11:18am

curl -X GET -I -m 10 https://acme-v02.api.letsencrypt.org/directory

systemn17088 · July 31, 2018, 11:21am

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 31 Jul 2018 11:20:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 31 Jul 2018 11:20:32 GMT
Connection: keep-alive

_az · July 31, 2018, 11:28am

Huh, must be Python then. Could you post your full /var/log/letsencrypt/letsencrypt.log file? It will show the actual stack trace of the error with context.

Maybe try this too

python -c "import requests; print(requests.get('https://acme-v02.api.letsencrypt.org/directory').text)

systemn17088 · July 31, 2018, 11:49am

 $ python -c "import requests; print(requests.get('https://acme-v02.api.letsencrypt.org/directory').text)"
{
  "YQ69guuCXqg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

full log very big ( added in gist )

full log

2018-07-31 14:05:47,300:DEBUG:certbot.main:certbot version: 0.26.1
2018-07-31 14:05:47,301:DEBUG:certbot.main:Arguments: []
2018-07-31 14:05:47,301:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-07-31 14:05:47,308:DEBUG:certbot.log:Root logging level set at 20
2018-07-31 14:05:47,308:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-07-31 14:05:47,309:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
2018-07-31 14:05:47,375:DEBUG:certbot_apache.configurator:Apache version is 2.4.18
2018-07-31 14:05:47,615:DEBUG:certbot.plugins.disco:Other error:(PluginEntryPoint#apache): There has been an error in parsing the file /etc/apache2/sites-enabled/dev1.conf on line 59: Syntax error
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/plugins/disco.py", line 132, in prepare
    self._initialized.prepare()
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 232, in prepare
    self.check_parsing_errors("httpd.aug")
  File "/usr/lib/python3/dist-packages/certbot_apache/augeas_configurator.py", line 77, in check_parsing_errors
    raise errors.PluginError(msg)
certbot.errors.PluginError: There has been an error in parsing the file /etc/apache2/sites-enabled/dev1.conf on line 59: Syntax error
2018-07-31 14:05:47,956:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7f0ca31b8e10>
Prep: True
2018-07-31 14:05:47,957:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7f0ca31b8e10> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7f0ca31b8e10>
2018-07-31 14:05:47,957:INFO:certbot.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2018-07-31 14:05:47,973:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', terms_of_service_agreed=None, status='valid', only_return_existing=None, contact=('mailto:systemn17088@gmail.com',), key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f0ca23efd30>)>)), terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', uri='https://acme-v01.api.letsencrypt.org/acme/reg/33367830'), 6f419180203c40a6b29413971cd95b75, Meta(creation_host='dev-test1', creation_dt=datetime.datetime(2018, 4, 16, 10, 24, 30, tzinfo=<UTC>)))>
2018-07-31 14:05:47,974:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-07-31 14:05:47,976:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-07-31 14:05:48,217:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 252, in connect
    ssl_version=resolved_ssl_version)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 305, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
    _context=self)
  File "/usr/lib/python3.5/ssl.py", line 752, in __init__
    self.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 589, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1116, in run
    le_client = _init_le_client(config, authenticator, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 648, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 247, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 50, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 744, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1078, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1027, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 447, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
2018-07-31 14:05:48,219:ERROR:certbot.log:An unexpected error occurred:
2018-07-31 14:06:11,944:DEBUG:certbot.main:certbot version: 0.26.1
2018-07-31 14:06:11,945:DEBUG:certbot.main:Arguments: ['--nginx', '-d', 'next.example.cf']
2018-07-31 14:06:11,945:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-07-31 14:06:11,951:DEBUG:certbot.log:Root logging level set at 20
2018-07-31 14:06:11,952:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-07-31 14:06:11,952:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2018-07-31 14:06:12,298:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7f3699f92e48>
Prep: True
2018-07-31 14:06:12,299:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7f3699f92e48> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7f3699f92e48>
2018-07-31 14:06:12,299:INFO:certbot.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2018-07-31 14:06:12,315:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', uri='https://acme-v01.api.letsencrypt.org/acme/reg/33367830', new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', body=Registration(status='valid', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f3699d902e8>)>), agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', contact=('mailto:systemn17088@gmail.com',), only_return_existing=None, terms_of_service_agreed=None)), 6f419180203c40a6b29413971cd95b75, Meta(creation_dt=datetime.datetime(2018, 4, 16, 10, 24, 30, tzinfo=<UTC>), creation_host='dev-test1'))>
2018-07-31 14:06:12,317:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-07-31 14:06:12,319:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-07-31 14:06:12,514:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 252, in connect
    ssl_version=resolved_ssl_version)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 305, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
    _context=self)
  File "/usr/lib/python3.5/ssl.py", line 752, in __init__
    self.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 589, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1116, in run
    le_client = _init_le_client(config, authenticator, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 648, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 247, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 50, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 744, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1078, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1027, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 447, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
2018-07-31 14:06:12,515:ERROR:certbot.log:An unexpected error occurred:
2018-07-31 14:06:35,139:DEBUG:certbot.main:certbot version: 0.26.1
2018-07-31 14:06:35,140:DEBUG:certbot.main:Arguments: ['--nginx', '-d', 'next.example.cf']
2018-07-31 14:06:35,140:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-07-31 14:06:35,146:DEBUG:certbot.log:Root logging level set at 20
2018-07-31 14:06:35,147:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-07-31 14:06:35,147:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2018-07-31 14:06:35,491:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7f29cc439fd0>
Prep: True
2018-07-31 14:06:35,492:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7f29cc439fd0> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7f29cc439fd0>
2018-07-31 14:06:35,492:INFO:certbot.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2018-07-31 14:06:35,508:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', uri='https://acme-v01.api.letsencrypt.org/acme/reg/33367830', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf', body=Registration(only_return_existing=None, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f29cc3d5eb8>)>), terms_of_service_agreed=None, status='valid', contact=('mailto:systemn17088@gmail.com',), agreement='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf')), 6f419180203c40a6b29413971cd95b75, Meta(creation_dt=datetime.datetime(2018, 4, 16, 10, 24, 30, tzinfo=<UTC>), creation_host='dev-test1'))>
2018-07-31 14:06:35,510:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2018-07-31 14:06:35,512:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2018-07-31 14:06:35,669:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 252, in connect
    ssl_version=resolved_ssl_version)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 305, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
    _context=self)
  File "/usr/lib/python3.5/ssl.py", line 752, in __init__
    self.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 589, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.26.1', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1116, in run
    le_client = _init_le_client(config, authenticator, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 648, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 247, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 50, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 744, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1078, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1027, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 447, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
2018-07-31 14:06:35,671:ERROR:certbot.log:An unexpected error occurred:

schoen · July 31, 2018, 10:11pm

Is the Python that you're testing this with the same Python 3.5 that's being used to run Certbot?

systemn17088 · August 1, 2018, 7:45am

no, it was python 2.7
python3.5

 # python -c "import requests; print(requests.get('https://acme-v02.api.letsencrypt.org/directory').text)"
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 252, in connect
    ssl_version=resolved_ssl_version)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 305, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
    _context=self)
  File "/usr/lib/python3.5/ssl.py", line 752, in __init__
    self.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 589, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/requests/api.py", line 67, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/api.py", line 53, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 447, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

_az · August 1, 2018, 8:02am

Interesting. What distro are you on and where did you get Python 3.5 from?

Did you build it from source? You have a fairly cutting-edge version of OpenSSL which makes me suspect that some other things could be from source.

If that was the case, depending how you built Python, it may have not had the right SSL support compiled-in.

systemn17088 · August 3, 2018, 10:59am

Sorry for along absense
i use distro

Ubuntu 16.04.3 LTS

no , i was install with

apt install python3

maybe in that it doing?

python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.2g  1 Mar 2016

it mean python3.5 wrong?

systemn17088 · August 6, 2018, 9:14am

I did nothing understands , but the solution for my problem

1. delete certbot all ( source-list not delete)

apt purge certbot-nginx

script

#!/bin/bash

list="/var/lib/systemd/timers/stamp-certbot.timer
/var/lib/dpkg/info/python3-certbot.postinst
/var/lib/dpkg/info/python3-certbot.md5sums
/var/lib/dpkg/info/python3-certbot.prerm
/var/lib/dpkg/info/python3-certbot.list
/var/lib/apt/lists/ppa.launchpad.net_certbot_certbot_ubuntu_dists_xenial_main_binary-i386_Packages
/var/lib/apt/lists/ppa.launchpad.net_certbot_certbot_ubuntu_dists_xenial_InRelease
/var/lib/apt/lists/ppa.launchpad.net_certbot_certbot_ubuntu_dists_xenial_main_i18n_Translation-en
/var/lib/apt/lists/ppa.launchpad.net_certbot_certbot_ubuntu_dists_xenial_main_binary-amd64_Packages
/usr/share/doc/python3-certbot
/usr/lib/python3/dist-packages/certbot-0.26.1.egg-info
/usr/lib/python3/dist-packages/certbot"

#/etc/apt/sources.list.d/certbot-ubuntu-certbot-xenial.list.save  #
#/etc/apt/sources.list.d/certbot-ubuntu-certbot-xenial.list	  # not delete
#/etc/apt/trusted.gpg.d/certbot_ubuntu_certbot.gpg
#/etc/apt/trusted.gpg.d/certbot_ubuntu_certbot.gpg~

for i in $list ; do
	rm -rf $i
done

echo "certbot was deleted"
exit 0

1. update or delete certificates

apt-get install --reinstall ca-certificates 
dpkg-reconfigure ca-certificates

or

apt remove --purge ca-certificates
apt autoremove
apt install ca-certificates
apt install software-properties-commo
apt install libwww-perl #if you use  GET

1. add certifficate

certbot --nginx -d next.exapmle.com

system · September 5, 2018, 9:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to Execute Certbot - Python Errors Help	4	2926	September 24, 2018
Ubuntu 18.04 - certbot-auto renew fails Help	3	1998	October 31, 2019
Quick question - letsencrypt upgrade certbort / auto renew Help	15	4216	August 20, 2018
Cant renew certbot certificate Help	22	3315	September 25, 2021
Update to new Certbot version installation Help	7	5505	October 11, 2018

Certbot renewal [SSL: CERTIFICATE_VERIFY_FAILED]

full log very big ( added in gist )

Related Topics