Connection error on "acme-v02.api.letsencrypt.org"

orumee · October 7, 2021, 2:33am

My domain is: hansungsmb.co.kr

I ran this command: certbot certonly --non-interactive --agree-tos -m orumee@hansungsmb.co.kr --webroot -w /usr/local/lsws/Example/html -d hansungsmb.co.kr -d www.hansungsmb.co.kr

It produced this output:

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
TypeError: __str__ returned non-string (type Error)

My web server is (include version): OpenLiteSpeed 1.7.14

The operating system my web server runs on is (include version): CentOS Linux release 7.9.2009 (Core)

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f5c2bf53190>
Prep: True
2021-10-07 02:30:58,154:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f5c2bf5                                                                               3190> and installer None
2021-10-07 02:30:58,154:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-10-07 02:30:58,176:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None                                                                               , agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/122742                                                                               034', new_authzr_uri=None, terms_of_service=None), 5ea1e03b1bf8b8183437ba01abdf8c44, Meta(creation_host=u'ip-172-26-3-86.ap-northeast-2.compute.internal', reg                                                                               ister_to_eff=None, creation_dt=datetime.datetime(2021, 5, 8, 1, 53, 52, tzinfo=<UTC>)))>
2021-10-07 02:30:58,183:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-10-07 02:30:58,191:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2021-10-07 02:30:58,539:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==1.11.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1421, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 1277, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/main.py", line 659, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 255, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python2.7/site-packages/certbot/_internal/client.py", line 43, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 831, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1168, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1118, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 486, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 598, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 370, in send
    timeout=timeout
  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 544, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 344, in _make_request
    self._raise_timeout(err=e, url=url, timeout_value=conn.timeout)
  File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 314, in _raise_timeout
    if 'timed out' in str(err) or 'did not complete (read)' in str(err):  # Python 2.6
TypeError: __str__ returned non-string (type Error)

This is the log in /var/log/letsencrypt/letsencrypt.log
curl works on https://acme-v02.api.letsencrypt.org
I've tried installing different version of urllib3 with pip (reverted back to system urllib3, six, requests), but no avail

orangepizza · October 7, 2021, 2:41am

it looks like it tried to run python 2.7 libs while python runtime itself it 2.6? whats your python version says?

orumee · October 7, 2021, 2:43am

python --version results in 2.7.5

orangepizza · October 7, 2021, 2:45am

I'd say python install is toasted then. may pick other client be faster than debug this

orangepizza · October 7, 2021, 2:55am

BTW as your webserver redirect to https but it's not reply at all, first insurance will need to be by stopping webserver and using standalone as redirected page doesn't answer anything. (le will ignore expired or invalid cert on there though)

schoen · October 7, 2021, 3:11am

I think this is a problem with an old version of OpenSSL and/or ca-certificates or equivalent package, which has been reported in other threads. These will probably need to be updated to more recent versions on the server.

https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

Edit: sorry, for this specific interoperability problem with the API endpoint, the problem would almost surely be with the trusted CAs rather than with the version of OpenSSL. The trusted CAs package on server would need to be updated to a version including trust for the ISRG X1 root certificate.

orumee · October 7, 2021, 4:06am

well i've restored soon-to-be-expired certificate files into right directories and it's working
But I need to find a way to renew the certificate before it expires...

orumee · October 7, 2021, 7:16am

thanks for the reply
not sure if that's the problem tho?
I have very limited knowledge on ssl so I could be wrong but the same error occurs when I type
certbot certonly and type either 1(standalone) or 2(webroot)

I've tried copying .pem files in
/etc/letsencrypt/archive/hansungsmb.co.kr/ to
/etc/pki/ca-trust/source/anchors/
and ran update-ca-trust but no difference yet

orumee · October 7, 2021, 8:12am

In Centos 7, some python libraries are not quite up-to-date yet

Bump requests requirement to >=2.10

After some testing, I ran

pip install urllib3==1.26.7
pip install requests==2.11.1

and certbot started working again...

using pip to install certain packages is not recommended without virtualenv, but this seems like a fine solution to me. I'm starting to hate python

ynikitenko · October 24, 2021, 3:38pm

For me it didn't work, but the answer from SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed - #9 by rg305 did:

yum install ca-certificates openssl

(in fact I ran a different command, certbot renew, but the error was the same).

matepaiva · November 9, 2021, 11:00am

This helped me! Thanks!

juanram0n · December 4, 2021, 10:25am

Thanks a lot, this work for me

system · January 3, 2022, 10:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.