Certificate renewal failing with ('PEM routines', 'get_header_and_data', 'short header')

atoponce · July 16, 2021, 9:55pm

Certificate renewal is failing for all of my domains:

aarontoponce.org
ae7.st
ciphermonkey.rocks
crack3d.pw
icanhaz.pw
pthree.org

Running certbot renew or certbot certonly -d aarontopocne.org produces the following stacktrace:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1234, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 612, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 266, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 51, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 833, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1171, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1120, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 841, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 344, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 321, in ssl_wrap_socket
    context.load_verify_locations(ca_certs, ca_cert_dir)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 428, in load_verify_locations
    self._ctx.load_verify_locations(cafile, capath)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 776, in load_verify_locations
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('PEM routines', 'get_header_and_data', 'short header'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'PEM lib')]

This is on a personally administered and fully updated Debian 10 stable server running Apache 2.4.38 with certbot 0.31.0. Everything is being managed via the CLI.

_az · July 16, 2021, 10:29pm

It looks like it's complaining about the CA certificates on your system.

Perhaps try:

apt install --reinstall ca-certificates

atoponce · July 16, 2021, 10:32pm

Doing an strace, I stumbled on the same thing right about the same time you sent this reply. Reinstalling the OS CA certificate store fixed the issue.

Thanks!

system · August 15, 2021, 10:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.