Certificate verify failed (existing self-signed certificate)

Richard87 · November 4, 2015, 1:16pm

Hi!

I’m trying to use let’s encrypt client on a CentOS 6.5 host with VestaCP (VestaCP sets up virtual hosts etc and SSL via a NginX proxy infront of Apache).

I have a self-signed certificate on https://www.richardhagen.no wich I think is causing some problems (without enabling SSL I get a connection refused from letsencrypt-auto though)…

Anyway, if anyone can help, this is my letsencrypt log-file:

2015-11-04 13:01:59,561:DEBUG:letsencrypt.cli:Root logging level set at 20
2015-11-04 13:01:59,564:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2015-11-04 13:01:59,583:DEBUG:letsencrypt.cli:letsencrypt version: 0.0.0.dev20151104
2015-11-04 13:01:59,584:DEBUG:letsencrypt.cli:Arguments: ['--agree-dev-preview', '--server', 'https://www.richardhagen.no', '--verbose']
2015-11-04 13:01:59,586:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2015-11-04 13:01:59,618:DEBUG:letsencrypt.cli:Requested authenticator None and installer None
2015-11-04 13:01:59,755:DEBUG:letsencrypt.plugins.disco:No installation (PluginEntryPoint#apache): 
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 103, in prepare
	self._initialized.prepare()
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt_apache/configurator.py", line 145, in prepare
	raise errors.NoInstallationError
NoInstallationError
2015-11-04 13:01:59,756:DEBUG:letsencrypt.plugins.disco:Other error:(PluginEntryPoint#webroot): --webroot-path must be set
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/plugins/disco.py", line 103, in prepare
	self._initialized.prepare()
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/plugins/webroot.py", line 89, in prepare
	self.option_name("path")))
PluginError: --webroot-path must be set
2015-11-04 13:01:59,756:DEBUG:letsencrypt.display.ops:Single candidate plugin: * standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = letsencrypt.plugins.standalone:Authenticator
Initialized: <letsencrypt.plugins.standalone.Authenticator object at 0x7f461e7eafd0>
Prep: True
2015-11-04 13:01:59,757:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.standalone.Authenticator object at 0x7f461e7eafd0> and installer None
2015-11-04 13:02:05,228:DEBUG:root:Sending GET request to https://www.richardhagen.no. args: (), kwargs: {}
2015-11-04 13:02:05,234:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): www.richardhagen.no
2015-11-04 13:02:05,323:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
	sys.exit(main())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 1138, in main
	return args.func(args, config, plugins)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 479, in obtaincert
	le_client = _init_le_client(args, config, authenticator, installer)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 174, in _init_le_client
	acc, acme = _determine_account(args, config)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 161, in _determine_account
	config, account_storage, tos_cb=_tos_cb)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 87, in register
	acme = _acme_from_config_key(config, key)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 35, in _acme_from_config_key
	verify_ssl=(not config.no_verify_ssl))
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 60, in __init__
	self.net.get(directory).json())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 599, in get
	self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 581, in _send_request
	response = requests.request(method, url, *args, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/api.py", line 50, in request
	response = session.request(method=method, url=url, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/sessions.py", line 468, in request
	resp = self.send(prep, **send_kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
	r = adapter.send(request, **kwargs)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/requests/adapters.py", line 433, in send
	raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)",)

My1 · November 4, 2015, 1:18pm

wait a sec do I read SSL3 in here?

Richard87 · November 4, 2015, 1:30pm

Apparantly How do I get rid of that?

My1 · November 4, 2015, 1:31pm

the question is rather WHY it is in there?
if we knew that it would be easier…
can you post your server con? (take private parts out and if too large use pastebin.

Richard87 · November 4, 2015, 2:02pm

Hope there isn’t wery much actuall private stuff in here
NginX SSL vhost file
Apache SSL vhost file

Also, relevant parts of nginx.conf:

# SSL PCI Compliance
ssl_session_cache   shared:SSL:10m;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

And the relevant parts of Apache SSL config:

LoadModule ssl_module modules/mod_ssl.so

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

SSLPassPhraseDialog     builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex                default
SSLRandomSeed           startup file:/dev/urandom  256
SSLRandomSeed           connect builtin
SSLCryptoDevice         builtin

Richard87 · November 4, 2015, 3:43pm

I think I have disabled SSLv3, but still get the same error from letsencrypt (here is the result from a OpenSSL test (notice the handshake failure):

 openssl s_client -connect www.richardhagen.no:443 -ssl3
CONNECTED(00000003)
140664679135048:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1259:SSL alert number 40
140664679135048:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
	Protocol  : SSLv3
	Cipher    : 0000
	Session-ID:
	Session-ID-ctx:
	Master-Key:
	Key-Arg   : None
	Krb5 Principal: None
	PSK identity: None
	PSK identity hint: None
	Start Time: 1446651748
	Timeout   : 7200 (sec)
	Verify return code: 0 (ok)
---

ngld · November 4, 2015, 4:02pm

2015-11-04 13:01:59,584:DEBUG:letsencrypt.cli:Arguments: ['--agree-dev-preview', '--server', 'https://www.richardhagen.no', '--verbose']

Did you run this?

./letsencrypt-auto --agree-dev-preview --server https://www.richardhagen.no --verbose

I think it should be:

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory -d www.richardhagen.no -d richardhagen.no --verbose

The --server parameter tells the client where the CA’s ACME server is. You need the “-d” parameter for the domains you want to verify.

Richard87 · November 4, 2015, 4:12pm

Well that worked perfectly! Thank you for your help

levisan · November 4, 2015, 11:56pm

@Richard87, I’m in a similar boat as you. I’ve got a VestaCP server (running on Ubuntu). I did the self-signing in Vesta, like it looks like you did. Could you summarize what you did to get everything working? I’m new to all this SSL stuff, so I’ve been stumbling in the dark so far!
Thanks!

Richard87 · November 5, 2015, 9:24am

@levisan Hi!,

I went with this command:

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory -d www.richardhagen.no -d richardhagen.no --verbose certonly

Notice the certonly on the end, this way I can read the content of the certificates and paste them in their correct spot in VestaCP (worked like a charm )

Also, my biggest problem was getting a version of Python that worked, the one shipped with CentOS 6.5 (and probably VestaCP) Python 2.6.6 dosn’t work (test your vversion with python -V.

If you don’t have the correct python version, I think your best bet is to hope for centos-release-SCL

yum update
yum install centos-release-SCL
yum install python33

Remember to clear out old letsencrypt files (this command should do it: rm -Rf /root/.local/share/letsencrypt (or similar).

Then I would make the system believe python33 is the regular python with this: alias python=python33.
And double check that python -V returns python v. 3.3 or something similar

Then rerun the letsencrypt command

Good luck!

levisan · November 5, 2015, 6:05pm

Thanks! You’re awesome!

evoluboy · December 2, 2015, 11:07pm

I’m having the same issue with Ubuntu, Here is the request I’m sending :

./letsencrypt-auto run --apache -d technadel.com -d www.technadel.com --server https://www.technadel.com --agree-dev-preview --verbose

Here is what I’m getting :
An unexpected error occurred:
SSLError: bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, ‘certificate verify failed’)],)
Please see the logfiles in /var/log/letsencrypt for more details.

I don’t get it, It try to validate my website https but it does not have https valide certificate yet. So what it is trying to do exacly ?

Here is what I have in /var/log/letsencrypt/letsencrypt.log :

…
2015-12-02 22:42:55,538:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/home/adel/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 1266, in main
return args.func(args, config, plugins)
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 461, in run
le_client = _init_le_client(args, config, authenticator, installer)
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 175, in _init_le_client
acc, acme = _determine_account(args, config)
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 162, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 116, in register
acme = acme_from_config_key(config, key)
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 41, in acme_from_config_key
return acme_client.Client(config.server, key=key, net=net)
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 60, in init
self.net.get(directory).json())
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 609, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 591, in _send_request
response = requests.request(method, url, *args, **kwargs)
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/api.py”, line 50, in request
response = session.request(method=method, url=url, **kwargs)
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/sessions.py”, line 468, in request
resp = self.send(prep, **send_kwargs)
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/sessions.py”, line 576, in send
r = adapter.send(request, **kwargs)
File “/home/adel/.local/share/letsencrypt/local/lib/python2.7/site-packages/requests/adapters.py”, line 433, in send
raise SSLError(e, request=request)
SSLError: bad handshake: Error([(‘SSL routines’, ‘SSL3_GET_SERVER_CERTIFICATE’, ‘certificate verify failed’)],)

jsha · December 2, 2015, 11:10pm

You have the same problem as above. In your command you wrote:

--server https://www.technadel.com

But this should be:

--server https://acme-v01.api.letsencrypt.org/directory

That is, the --server flag expects the Let’s Encrypt server URL, not the URL to your server.

evoluboy · December 3, 2015, 11:43pm

Ok, It working!! Thanks!!!