Certificate Verify Failed

tabl · June 20, 2018, 2:11pm

Hi everyone!

I installed certbot and obtained certificate a couple of months ago, but it suddenly stopped getting updated certificates.

What should I do in this case?

I’m getting this output after running
sudo certbot --nginx -d my.domain.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 438, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1716, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1456, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 345, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 846, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 326, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 325, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 445, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 630, in urlopen
    raise SSLError(e)
urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
Please see the logfiles in /var/log/letsencrypt for more details.

JuergenAuer · June 20, 2018, 3:37pm

Hi @tabl

what's your domain? Is your Certbot updated?

What is there:

Please see the logfiles in /var/log/letsencrypt for more details.

tabl · June 20, 2018, 4:08pm

The domain is wifi.enslave.ru
Certbot version is 0.22.2-1 on Ubuntu 16.04

Log:
2018-06-20 14:13:27,687:DEBUG:certbot.main:certbot version: 0.22.2
2018-06-20 14:13:27,687:DEBUG:certbot.main:Arguments: [’–nginx’, ‘–dry-run’]
2018-06-20 14:13:27,688:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-06-20 14:13:27,696:DEBUG:certbot.log:Root logging level set at 20
2018-06-20 14:13:27,697:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-06-20 14:13:27,705:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2018-06-20 14:13:27,706:DEBUG:certbot.cli:Var dry_run=True (set by user).
2018-06-20 14:13:27,706:DEBUG:certbot.cli:Var server={‘dry_run’, ‘staging’} (set by user).
2018-06-20 14:13:27,706:DEBUG:certbot.cli:Var account={‘server’} (set by user).
2018-06-20 14:13:27,706:DEBUG:certbot.cli:Var authenticator=nginx (set by user).
2018-06-20 14:13:27,706:DEBUG:certbot.cli:Var installer=nginx (set by user).
2018-06-20 14:13:27,732:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2018-07-04 07:18:45 UTC.
2018-06-20 14:13:27,732:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2018-06-20 14:13:27,733:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2018-06-20 14:13:27,888:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fdbff997ba8>
Prep: True
2018-06-20 14:13:27,890:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7fdbff997ba8>
Prep: True
2018-06-20 14:13:27,890:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7fdbff997ba8> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7fdbff997ba8>
2018-06-20 14:13:27,890:INFO:certbot.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2018-06-20 14:13:27,905:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(uri=‘https://acme-staging-v02.api.letsencrypt.org/acme/acct/5868658’, new_authzr_uri=None, terms_of_service=‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’, body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fdbff909828>)>), agreement=None, status=‘valid’, contact=(), terms_of_service_agreed=None)), a1feb7a10613229dc44c412145d537bb, Meta(creation_host=‘ovz2.enslave.z2eez.vps.myjino.ru’, creation_dt=datetime.datetime(2018, 4, 5, 8, 20, 3, tzinfo=)))>
2018-06-20 14:13:27,906:DEBUG:acme.client:Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
2018-06-20 14:13:27,910:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
2018-06-20 14:13:28,070:WARNING:certbot.renewal:Attempting to renew cert (wifi.enslave.ru) from /etc/letsencrypt/renewal/wifi.enslave.ru.conf produced an unexpected error: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,). Skipping.
2018-06-20 14:13:28,073:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 438, in wrap_socket
cnx.do_handshake()
File “/usr/lib/python3/dist-packages/OpenSSL/SSL.py”, line 1716, in do_handshake
self._raise_ssl_error(self._ssl, result)
File “/usr/lib/python3/dist-packages/OpenSSL/SSL.py”, line 1456, in _raise_ssl_error
_raise_current_error()
File “/usr/lib/python3/dist-packages/OpenSSL/_util.py”, line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 600, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 345, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 846, in validate_conn
conn.connect()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 326, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl.py", line 325, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 445, in wrap_socket
raise ssl.SSLError(‘bad handshake: %r’ % e)
ssl.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 440, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 630, in urlopen
raise SSLError(e)
urllib3.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 422, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1100, in renew_cert
le_client = _init_le_client(config, auth, installer)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 642, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 230, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 46, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 718, in init
directory = messages.Directory.from_json(net.get(server).json())
File “/usr/lib/python3/dist-packages/acme/client.py”, line 1041, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/usr/lib/python3/dist-packages/acme/client.py”, line 990, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File “/usr/lib/python3/dist-packages/requests/sessions.py”, line 502, in request
resp = self.send(prep, **send_kwargs)
File “/usr/lib/python3/dist-packages/requests/sessions.py”, line 612, in send
r = adapter.send(request, **kwargs)
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,)

2018-06-20 14:13:28,074:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2018-06-20 14:13:28,074:ERROR:certbot.renewal: /etc/letsencrypt/live/wifi.enslave.ru/fullchain.pem (failure)
2018-06-20 14:13:28,074:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.22.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1179, in renew
renewal.handle_renewal_request(config)
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 443, in handle_renewal_request
len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

JuergenAuer · June 20, 2018, 4:30pm

Why is there a 302 - Redirect to enslave.ru? I don't know if Certbot interprets that as an error.

On enslave.ru, there is a Letsencrypt-certificate (start 2018-06-10) with www.enslave.ru + enslave.ru. Perhaps Certbot creates this error.

2018-06-20 14:13:28,070:WARNING:certbot.renewal:Attempting to renew cert (wifi.enslave.ru) from /etc/letsencrypt/renewal/wifi.enslave.ru.conf produced an unexpected error: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,). Skipping.

@schoen wrote (some days earlier), that Certbot ignores chain errors and outdated certificates. [Edit] But I don't know if such a redirect from wifi.enslave.ru to enslave.ru (without a certificate of wifi.enslave.ru) is also ok.

Remove the 302-redirect and check it again. Perhaps use the test/staging - system first. If this works, then switch to the productive system.

tabl · June 20, 2018, 5:29pm

I removed the redirect. Unfortunately, that did not fix the error.

JuergenAuer · June 20, 2018, 5:36pm

Now I can see a Letsencrypt-certificate https://wifi.enslave.ru/ NotAfter 2018-07-04.

And http://wifi.enslave.ru/ is available.

But I don't see why this

requests.exceptions.SSLError: (“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,)

happens.

tabl · June 20, 2018, 5:46pm

Hmm, I googled out that it could be a ca-certificates package problems so I reinstalled it (with the whole certbot) and now it works.

Thanks!

schoen · June 20, 2018, 8:44pm

It's the Let's Encrypt CA that ignores them, rather than Certbot, and the redirect is also OK.

system · July 20, 2018, 8:44pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.