Certificate verify failed: unable to get local issuer certificate

Help
1

[root@SRV-SUP-02 admcentreon]# certbot certonly --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Apache Web Server plugin (apache)
2: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
3: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)

Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 2
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

2

/var/log/letsencrypt/letsencrypt.log

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.9/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1579, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 830, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 738, in _determine_account
    acc, acme = client.register(
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 207, in register
    acme = acme_from_config_key(config, key)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key
    directory = acme_client.ClientV2.get_directory(config.server, net)
  File "/usr/lib/python3.9/site-packages/acme/client.py", line 331, in get_directory
    return messages.Directory.from_json(net.get(url).json())
  File "/usr/lib/python3.9/site-packages/acme/client.py", line 706, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3.9/site-packages/acme/client.py", line 648, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 544, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 657, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
2023-08-09 06:23:07,487:ERROR:certbot._internal.log:An unexpected error occurred:
2023-08-09 06:23:07,488:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
[root@SRV-SUP-02 admcentreon]# cat /etc/os-release
NAME="AlmaLinux"
VERSION="9.2 (Turquoise Kodkod)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.2"
PLATFORM_ID="platform:el9"
PRETTY_NAME="AlmaLinux 9.2 (Turquoise Kodkod)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9"
ALMALINUX_MANTISBT_PROJECT_VERSION="9.2"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.2"
3

Are you using openssl 1.0.2?

3 Likes
4

[root@SRV-SUP-02 admcentreon]# openssl version
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

5

What method did you use to install Certbot?

And, what do these show?

sudo certbot --version

curl -I https://acme-v02.api.letsencrypt.org/directory

echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
3 Likes
6

I use this command: sudo snap install --classic certbot

[root@SRV-SUP-02 centreon-engine]# sudo certbot --version
certbot 2.6.0
[root@SRV-SUP-02 centreon-engine]# curl -I https://acme-v02.api.letsencrypt.org/directory

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[root@SRV-SUP-02 centreon-engine]# echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head

depth=0 CN = acme-v02.api.letsencrypt.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
DONE
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = acme-v02.api.letsencrypt.org
   i:C = FR, ST = OCCITANIE, L = TOULOUSE, O = PREVALY
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 29 21:50:46 2023 GMT; NotAfter: Sep 27 21:50:45 2023 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----

[root@SRV-SUP-02 centreon-engine]# curl -I https://acme-v02.api.letsencrypt.org/directory

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
7

There is a device intercepting your connection. That is, when your service tries to connect to Let's Encrypt's servers, this device is responding instead. But since the device doesn't have a trusted certificate (since it isn't actually run by Let's Encrypt), certbot (and curl) are correctly stopping the connection because it knows it isn't talking to the real Let's Encrypt server.

These kinds of devices are often well-meaning (but not always well-configured) firewalls run by your local IT. Do you recognize the name "PREVALY", which is how the device is identifying itself?

7 Likes
8

Alternatively, it could be a man-in-the-middle attack, although it would be a rather bad one :stuck_out_tongue:

1 Like
9

Https is allowed on the firewall and I have disabled SSL inspection, I manage Prevaly IT. Are there any other ports to authorize?

10

If you allow https (without "inspection") outbound, and allow http inbound, then you should be all set.

As a tip: Use --dry-run on your command while you're testing things, to use the staging environment, and then remove it once it's working to use production.

4 Likes
11

Please show this output now [after your change]:

3 Likes
12

Are you mitm-ing every tls connection from your network?

That's... going to break a lot of websites. Google mainly.

It's a level of security that I would never use: I would airgap the whole network before I mitm tls.

3 Likes
13 

[root@SRV-SUP-02 admcentreon]# echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head                         depth=0 CN = acme-v02.api.letsencrypt.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:CN = acme-v02.api.letsencrypt.org
   i:C = FR, ST = OCCITANIE, L = TOULOUSE, O = PREVALY
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 30 20:38:40 2023 GMT; NotAfter: Sep 28 20:38:39 2023 GMT
---
DONE
Server certificate
-----BEGIN CERTIFICATE-----
14

No mitm in the company

15

that cert you are seeing doesn't look right: issuer country is US for LE certificates (because LE being US based)
there is mitm proxy in route.

4 Likes
16

No, just inspection. I know of banks, medical facilities, and maybe espionage-susceptible companies that might do that, but, as I said, I'd disconnect the network before resorting to that.

I really, really don't like it when people break the infrastructure of the internet (see DNS poisoning, DPI, TLS inspection...).

Even more because I can circumvent all of that. You can exfiltrate over DNS, for example, and OBFS4 looks just like http. :smiley:

3 Likes
17

Your output shows otherwise:

4 Likes
18

As an alternate to @9peppe suggestion:
It would be much simpler to block outbound connections and force everyone to use a proxy.
Within the proxy you can better control who can access what and clean whatever is being downloaded before it reaches the requester.

3 Likes
19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.