Debian 8.3.0-6 - Problems renewing certificates

Help
1

My domain is: mail.familie-born.net

I ran this command: certbot renew --force-renewal

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/die-todbringer.de.conf

Plugins selected: Authenticator webroot, Installer apache
Attempting to renew cert (die-todbringer.de) from /etc/letsencrypt/renewal/die-todbringer.de.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])"))). Skipping.

Processing /etc/letsencrypt/renewal/mail.familie-born.net.conf

Plugins selected: Authenticator webroot, Installer apache
Attempting to renew cert (mail.familie-born.net) from /etc/letsencrypt/renewal/mail.familie-born.net.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])"))). Skipping.

Processing /etc/letsencrypt/renewal/www.die-todbringer.de.conf

Plugins selected: Authenticator apache, Installer apache
Attempting to renew cert (www.die-todbringer.de) from /etc/letsencrypt/renewal/www.die-todbringer.de.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])"))). Skipping.

Processing /etc/letsencrypt/renewal/www.skc-lohhof.de.conf

Plugins selected: Authenticator webroot, Installer apache
Attempting to renew cert (www.skc-lohhof.de) from /etc/letsencrypt/renewal/www.skc-lohhof.de.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])"))). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/die-todbringer.de/fullchain.pem (failure)
/etc/letsencrypt/live/mail.familie-born.net/fullchain.pem (failure)
/etc/letsencrypt/live/www.die-todbringer.de/fullchain.pem (failure)
/etc/letsencrypt/live/www.skc-lohhof.de/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/die-todbringer.de/fullchain.pem (failure)
/etc/letsencrypt/live/mail.familie-born.net/fullchain.pem (failure)
/etc/letsencrypt/live/www.die-todbringer.de/fullchain.pem (failure)
/etc/letsencrypt/live/www.skc-lohhof.de/fullchain.pem (failure)

4 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.38 (Debian)

The operating system my web server runs on is (include version): Linux version 4.19.0-16-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.181-1 (2021-03-19)

My hosting provider, if applicable, is: server4you

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

I also tried to run host acme-v02.api.letsencrypt.org and got the following output:
host acme-v02.api.letsencrypt.org
acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2c

pinging this addres works, too.

Has anyone an idea? I'm running this over months... or years... so this is the first time i got this error.

Thank you!

2

Hi @selfarian,

Welcome to the community forum.
On Debian 8 you'll need a copy of ISRG Root X1, https://letsencrypt.org/certs/isrgrootx1.pem.txt, placed in /etc/ssl/certs.

Next, you have to manually distrust the following certificate in /etc/ca-certificates.conf

!mozilla/DST_Root_CA_X3.crt

Once you've done that, run the following command to update your trust store.

update-ca-certificates

Let me know how that works out for you.

1 Like
3

Hello @Phil,

thanks for your answer. But this doesn't work for me. I got the file mentioned above (with wget), tried to place it as txt or pem in the directory /etc/ssl/certs and i commented the line, you mentioned with ! out. Then i ran update-ca-certificates and i got 1 removed, 0 added. And after i tried to rerun certbot and got the same error:
[...]Attempting to renew cert (www.die-todbringer.de) from /etc/letsencrypt/renewal/www.die-todbringer.de.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])"))). Skipping.[...] (just one of the the as example.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.