Certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:los.plsee.net

I ran this command:./certbot-auto --no-bootstrap

It produced this output:# ./certbot-auto --no-bootstrap
WARNING: unable to check for updates.
Creating virtual environment…
Installing Python packages…
Traceback (most recent call last):
File “/usr/local/python381/lib/python3.8/urllib/request.py”, line 1319, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File “/usr/local/python381/lib/python3.8/http/client.py”, line 1230, in request
self._send_request(method, url, body, headers, encode_chunked)
File “/usr/local/python381/lib/python3.8/http/client.py”, line 1276, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File “/usr/local/python381/lib/python3.8/http/client.py”, line 1225, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File “/usr/local/python381/lib/python3.8/http/client.py”, line 1004, in _send_output
self.send(msg)
File “/usr/local/python381/lib/python3.8/http/client.py”, line 944, in send
self.connect()
File “/usr/local/python381/lib/python3.8/http/client.py”, line 1399, in connect
self.sock = self._context.wrap_socket(self.sock,
File “/usr/local/python381/lib/python3.8/ssl.py”, line 500, in wrap_socket
return self.sslsocket_class._create(
File “/usr/local/python381/lib/python3.8/ssl.py”, line 1040, in _create
self.do_handshake()
File “/usr/local/python381/lib/python3.8/ssl.py”, line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/tmp/tmp.GdqZI0fYe1/pipstrap.py”, line 177, in
sys.exit(main())
File “/tmp/tmp.GdqZI0fYe1/pipstrap.py”, line 155, in main
downloads = [hashed_download(index_base + ‘/packages/’ + path,
File “/tmp/tmp.GdqZI0fYe1/pipstrap.py”, line 155, in
downloads = [hashed_download(index_base + ‘/packages/’ + path,
File “/tmp/tmp.GdqZI0fYe1/pipstrap.py”, line 117, in hashed_download
response = opener(using_https=parsed_url.scheme == ‘https’).open(url)
File “/usr/local/python381/lib/python3.8/urllib/request.py”, line 525, in open
response = self._open(req, data)
File “/usr/local/python381/lib/python3.8/urllib/request.py”, line 542, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
File “/usr/local/python381/lib/python3.8/urllib/request.py”, line 502, in _call_chain
result = func(*args)
File “/usr/local/python381/lib/python3.8/urllib/request.py”, line 1362, in https_open
return self.do_open(http.client.HTTPSConnection, req,
File “/usr/local/python381/lib/python3.8/urllib/request.py”, line 1322, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)>

My web server is (include version):My server is not a web server,I use certbot --standalone for issue cert.

The operating system my web server runs on is (include version):CentOS release 6.10 (Final) 4.13.10-1.el6.elrepo.i686

My hosting provider, if applicable, is:I don’t know

I can login to a root shell on my machine (yes or no, or I don’t know):yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):# pip list |grep cert
certbot 1.1.0

---------------------I am just a line---------------------------------
Hello,I have renewed my certificate in Jan 2020 successful.But when I run certbot-auto command,the system show me must have python 3.5+,and certbot-auto can not run nomal.Then I upgrade my server python version to 3.8.1,I try to run cerbot-auto command again,certbot-auto can not run either,and show me all above.I don’t know why and how to do.

1 Like

Hi,

Could you please check if you have the latest CA certificates installed?

Thank you

1 Like

could you please tell me how to check the ca certificate installed? which directory should I checked? thanks!

Hi,

I personally don’t use CentOS 6, so i’m not sure if this will work correctly. (But this is what the error message means).

Please first try to run the below command with your Python 3.6 binary and share us the output. (This is basically where you should place the CA Bundle files)
python -c "import ssl; print(ssl.get_default_verify_paths())"

This is a tutorial i found online about update CA Bundle in CentOS systems.

You might want to see if your ca-bundles package in yum is up to date. If it’s up to date and you still have the same error message, try to make a backup of your CAfile location, and download http://curl.haxx.se/ca/cacert.pem to override your CAfile.

Thank you

Hello,first thank you for your reply.
When I run command ‘python -c “import ssl; print(ssl.get_default_verify_paths())”’,the system output ‘DefaultVerifyPaths(cafile=None, capath=’/usr/local/openssl/ssl/certs’, openssl_cafile_env=‘SSL_CERT_FILE’, openssl_cafile=’/usr/local/openssl/ssl/cert.pem’, openssl_capath_env=‘SSL_CERT_DIR’, openssl_capath=’/usr/local/openssl/ssl/certs’)

I think it seem there is no cafile in my system.Then I run some commands and system output below:
#curl https://curl.haxx.se/ca/cacert.pem -o /etc/pki/tls/certs/ca-bundle.crt
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 218k 100 218k 0 0 489k 0 --:–:-- --:–:-- --:–:-- 2600k

#update-ca-trust enable
#update-ca-trust check
#update-ca-trust extract
#python -c “import ssl; print(ssl.get_default_verify_paths())”
DefaultVerifyPaths(cafile=None, capath=’/usr/local/openssl/ssl/certs’, openssl_cafile_env=‘SSL_CERT_FILE’, openssl_cafile=’/usr/local/openssl/ssl/cert.pem’, openssl_capath_env=‘SSL_CERT_DIR’, openssl_capath=’/usr/local/openssl/ssl/certs’)

The “cafile=None” is also show,and certbot still have same error.

What should I do next ? Thanks.

Hi,

Apologize since I might used the wrong variable.
Try to make a backup of openssl_cafile and place the newly downloaded file into that location.

Thank you

Hi.I have tried do it.Maybe a new error appear.The system output below:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
load_entry_point(‘letsencrypt==0.7.0’, ‘console_scripts’, ‘letsencrypt’)()
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/pkg_resources/init.py”, line 487, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/pkg_resources/init.py”, line 2728, in load_entry_point
return ep.load()
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/pkg_resources/init.py”, line 2346, in load
return self.resolve()
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/pkg_resources/init.py”, line 2352, in resolve
module = import(self.module_name, fromlist=[‘name’], level=0)
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/certbot/main.py”, line 2, in
from certbot._internal import main as internal_main
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/certbot/_internal/main.py”, line 10, in
import josepy as jose
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/josepy/init.py”, line 41, in
from josepy.interfaces import JSONDeSerializable
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/josepy/interfaces.py”, line 7, in
from josepy import errors, util
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/josepy/util.py”, line 7, in
import OpenSSL
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/OpenSSL/init.py”, line 8, in
from OpenSSL import crypto, SSL
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/OpenSSL/crypto.py”, line 16, in
from OpenSSL._util import (
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/OpenSSL/_util.py”, line 6, in
from cryptography.hazmat.bindings.openssl.binding import Binding
File “/opt/eff.org/certbot/venv/lib/python3.8/site-packages/cryptography/hazmat/bindings/openssl/binding.py”, line 15, in
from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /opt/eff.org/certbot/venv/lib/python3.8/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: undefined symbol: d2i_DHxparams

Thanks.

Hi,

I’m not familiar with the inner part of softwares…
I think @schoen might be able to help?

Thank you

I would ask @bmw about this.

Overall, I think the problem is due to inconsistent installations of Certbot and its dependencies; installing Certbot yourself via pip is not recommended.

The problem here is as of our 1.1.0 release in January, Certbot no longer supports RHEL 6 based systems running architectures other than x86_64. There are many reasons for this, but it basically comes down to the Python and OpenSSL packages offered on non-86_64 RHEL 6 have reached their end of life upstream and are no longer receiving updates. Because of this, many of Certbot’s Python dependencies have also dropped support for this software which means that scripts like certbot-auto cannot continue to update them so you get things like security fixes (unless we tried to safely provide our own versions of Python and OpenSSL outside of those provided by your OS which is just not feasible for the small Certbot team to do).

When you run certbot-auto on the system without a custom version of Python in your PATH, certbot-auto’s full output should look something like:

Skipping bootstrap because certbot-auto is deprecated on this system.
WARNING: couldn't find Python 3.5+ to check for updates.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.

And at https://certbot.eff.org/lets-encrypt/centos6-other, we say that non-x86_64 RHEL 6 is no longer supported by the Certbot team.

CentOS 6 reaches its end of life in November meaning that all of the packages on your system will no longer receive security updates. If updating your OS isn’t feasible right now, your most reliable option is to use an old version of certbot-auto and include --no-self-upgrade on the command line. The last working version of certbot-auto on i686 CentOS 6 can be found at https://raw.githubusercontent.com/certbot/certbot/v1.0.0/certbot-auto. Including this flag means that you will not get any updates fixing bugs including security problems or compatibility issues with Let’s Encrypt’s servers.

Alternatively, you can continue to try to use a custom version of Python, but unfortunately the Certbot team does not have the resources to help you do this custom setup.

I’m sure all of this isn’t what you want to hear, but I hope it helps!

2 Likes

Thank you very much.

1 Like

A post was merged into an existing topic: Error al intentar renovar mis certificados

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.