Certificate Verify Failed

Hi everyone!

I installed certbot and obtained certificate a couple of months ago, but it suddenly stopped getting updated certificates.

What should I do in this case?

I’m getting this output after running
sudo certbot --nginx -d my.domain.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 438, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1716, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1456, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 345, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 846, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 326, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 325, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 445, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 630, in urlopen
    raise SSLError(e)
urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
Please see the logfiles in /var/log/letsencrypt for more details.

Hi @tabl

what's your domain? Is your Certbot updated?

What is there:

Please see the logfiles in /var/log/letsencrypt for more details.

The domain is wifi.enslave.ru
Certbot version is 0.22.2-1 on Ubuntu 16.04

Log:
2018-06-20 14:13:27,687:DEBUG:certbot.main:certbot version: 0.22.2
2018-06-20 14:13:27,687:DEBUG:certbot.main:Arguments: [’–nginx’, ‘–dry-run’]
2018-06-20 14:13:27,688:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-06-20 14:13:27,696:DEBUG:certbot.log:Root logging level set at 20
2018-06-20 14:13:27,697:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-06-20 14:13:27,705:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2018-06-20 14:13:27,706:DEBUG:certbot.cli:Var dry_run=True (set by user).
2018-06-20 14:13:27,706:DEBUG:certbot.cli:Var server={‘dry_run’, ‘staging’} (set by user).
2018-06-20 14:13:27,706:DEBUG:certbot.cli:Var account={‘server’} (set by user).
2018-06-20 14:13:27,706:DEBUG:certbot.cli:Var authenticator=nginx (set by user).
2018-06-20 14:13:27,706:DEBUG:certbot.cli:Var installer=nginx (set by user).
2018-06-20 14:13:27,732:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2018-07-04 07:18:45 UTC.
2018-06-20 14:13:27,732:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2018-06-20 14:13:27,733:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2018-06-20 14:13:27,888:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fdbff997ba8>
Prep: True
2018-06-20 14:13:27,890:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fdbff997ba8>
Prep: True
2018-06-20 14:13:27,890:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7fdbff997ba8> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7fdbff997ba8>
2018-06-20 14:13:27,890:INFO:certbot.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2018-06-20 14:13:27,905:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(uri=‘https://acme-staging-v02.api.letsencrypt.org/acme/acct/5868658’, new_authzr_uri=None, terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fdbff909828>)>), agreement=None, status=‘valid’, contact=(), terms_of_service_agreed=None)), a1feb7a10613229dc44c412145d537bb, Meta(creation_host=‘ovz2.enslave.z2eez.vps.myjino.ru’, creation_dt=datetime.datetime(2018, 4, 5, 8, 20, 3, tzinfo=)))>
2018-06-20 14:13:27,906:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2018-06-20 14:13:27,910:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
2018-06-20 14:13:28,070:WARNING:certbot.renewal:Attempting to renew cert (wifi.enslave.ru) from /etc/letsencrypt/renewal/wifi.enslave.ru.conf produced an unexpected error: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,). Skipping.
2018-06-20 14:13:28,073:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 438, in wrap_socket
cnx.do_handshake()
File “/usr/lib/python3/dist-packages/OpenSSL/SSL.py”, line 1716, in do_handshake
self._raise_ssl_error(self._ssl, result)
File “/usr/lib/python3/dist-packages/OpenSSL/SSL.py”, line 1456, in _raise_ssl_error
_raise_current_error()
File “/usr/lib/python3/dist-packages/OpenSSL/_util.py”, line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 600, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 345, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 846, in validate_conn
conn.connect()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 326, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl.py", line 325, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 445, in wrap_socket
raise ssl.SSLError(‘bad handshake: %r’ % e)
ssl.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 440, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 630, in urlopen
raise SSLError(e)
urllib3.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 422, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1100, in renew_cert
le_client = _init_le_client(config, auth, installer)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 642, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 230, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 46, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 718, in init
directory = messages.Directory.from_json(net.get(server).json())
File “/usr/lib/python3/dist-packages/acme/client.py”, line 1041, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 990, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File “/usr/lib/python3/dist-packages/requests/sessions.py”, line 502, in request
resp = self.send(prep, **send_kwargs)
File “/usr/lib/python3/dist-packages/requests/sessions.py”, line 612, in send
r = adapter.send(request, **kwargs)
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,)

2018-06-20 14:13:28,074:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-06-20 14:13:28,074:ERROR:certbot.renewal: /etc/letsencrypt/live/wifi.enslave.ru/fullchain.pem (failure)
2018-06-20 14:13:28,074:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.22.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1179, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

Why is there a 302 - Redirect to enslave.ru? I don't know if Certbot interprets that as an error.

On enslave.ru, there is a Letsencrypt-certificate (start 2018-06-10) with www.enslave.ru + enslave.ru. Perhaps Certbot creates this error.

2018-06-20 14:13:28,070:WARNING:certbot.renewal:Attempting to renew cert (wifi.enslave.ru) from /etc/letsencrypt/renewal/wifi.enslave.ru.conf produced an unexpected error: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,). Skipping.

@schoen wrote (some days earlier), that Certbot ignores chain errors and outdated certificates. [Edit] But I don't know if such a redirect from wifi.enslave.ru to enslave.ru (without a certificate of wifi.enslave.ru) is also ok.

Remove the 302-redirect and check it again. Perhaps use the test/staging - system first. If this works, then switch to the productive system.

I removed the redirect. Unfortunately, that did not fix the error.

Now I can see a Letsencrypt-certificate https://wifi.enslave.ru/ NotAfter 2018-07-04.

And http://wifi.enslave.ru/ is available.

But I don't see why this

requests.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,)

happens.

Hmm, I googled out that it could be a ca-certificates package problems so I reinstalled it (with the whole certbot) and now it works.

Thanks!

It's the Let's Encrypt CA that ignores them, rather than Certbot, and the redirect is also OK.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.