DeprecationWarning: signer and verifier have been deprecated./UPD: Cert installed, https won't work

Command: ./certbot-auto run
/root/.local/share/letsencrypt/lib/python2.6/site-packages/cryptography/ DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

Obtaining a new certificate
/root/.local/share/letsencrypt/lib/python2.6/site-packages/acme/jose/ DeprecationWarning: signer and verifier have been deprecated. Please use sign and verify instead.
signer = key.signer(self.padding, self.hash)
Performing the following challenges:
tls-sni-01 challenge for
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Server only speaks HTTP, not TLS


  • The following errors were reported by the server:

    Type: malformed
    Detail: Server only speaks HTTP, not TLS

    To fix these errors, please make sure that you did not provide any
    invalid information to the client, and try running Certbot again.

OS: centos-release-6-9.el6.12.3.x86_64
Server version: Apache/2.2.15 (Unix)

Perhaps there is another service already using port 443

I’ve checked it with netstat, it’s httpd.

then track down with vhost is using 443 and ensure all are set as expected

OK. Dealt with that. Now I have cert installed properly in /etc/letsencrypt/live/…
In domain-le-ssl.conf everything looks OK

ServerName ServerAlias
DocumentRoot /var/www/html/plotterblog

DefaultType application/octet-stream
ScriptAlias /cgi-bin/ /var/www/html/plotterblog/cgi-bin/

<Directory /var/www/html/plotterblog/cgi-bin>
	Options ExecCGI FollowSymLinks
	AllowOverride  ALL

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/

But both https:// and http:// won’t work.
In FF it’s “Secure Connection Failed”

Hello @aqwed11,

Seems you have some kind of multiplexer like sshttp so you can access to your https server and ssh server using the same port (443).

web server connection

$ curl -IkL
HTTP/1.1 301 Moved Permanently
Date: Mon, 14 Aug 2017 11:56:14 GMT
Server: Apache/2.2.15 (CentOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1

curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

ssh connection:

$ ssh -v 443  (Edit: the right command is ssh -v -p443
OpenSSH_7.1p2, OpenSSL 1.0.1g 7 Apr 2014
[...]'s password:

So, seems you have not configured it properly to work with your Apache server..

Edit: The above ssh command is wrong it is not connecting to port 443 so it is not related to sshttp, sorry.
Good luck.

netstat -nlp shows that the only service that uses 443 is httpd. ssh uses another port.
And that part with

"Failed authorization procedure. (tls-sni-01): urn:acme:error:malformed :: The request message was malformed :: Server only speaks HTTP, not TLS"

is already solved. At least I do not receive any warnings and everything looks OK. The site just won't open.
If it's smth that I must setup in apache config, please, tell me what it is. I've tried a lot of variants already.

Hi @aqwed11,

Forget what I said, it is not related to sshttp I mistyped the ssh command to connect to your server.


Did you install the mod_ssl module for your Apache?.

To check if it is installed:

rpm -i mod_ssl

or checking if it is being used by Apache:

httpd -M |grep ssl_module

and you should see a line like this:

ssl_module (shared)

If it is not installed then you must install it:

yum install mod_ssl


About 80% of the time, this is a result of having a different Apache configuration file (not the one related to your Let's Encrypt certificate) that tells Apache to listen on port 443, but does not include the SSLEngine and other TLS-related directives.

I would suggest checking with

grep -r 443 /etc/apache2

to see if you can find an inappropriate non-HTTPS-related configuration listening to port 443.

1 Like


Server only speaks HTTP, not TLS

This issue has been solved yesterday. At least I receive no warnings on that.
Yes, mod_ssl is installed and loaded by Apache. phpinfo() and httpd -M |grep ssl_module report it.

As for 443:
grep -r 443 /etc/httpd shows that Listen 443 is only added in ssl.conf.
Here's the full result:

/etc/httpd/conf.d/ssl.conf:Listen 443
/etc/httpd/certbot-auto: --hash=...

And iI've tried to edit ssl.conf and domain-le-ssl.conf as it was said here. No result.

It seems that Apache is taking ssl.conf settings for this vhost instead of vhhost's.


LoadModule ssl_module modules/
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
VirtualHost default:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<Files ~ ".(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars

<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars

SetEnvIf User-Agent ".MSIE."
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"


IfModule mod_ssl.c

  DocumentRoot /var/www/html/plotterblog
  DefaultType application/octet-stream
  ScriptAlias /cgi-bin/ /var/www/html/plotterblog/cgi-bin/

  <Directory /var/www/html/plotterblog/cgi-bin>
  	Options ExecCGI FollowSymLinks
  	AllowOverride  ALL

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/

Please show this public cert file.
It may help explain what is bound to 443.

File: localhost.crt Line 1 Col 0 1440 bytes 100%

That cert was created two days ago and has these details:

Do you recognize it?

Yes. One of our subdomains.
But the cert was intended not for this domain but for and I can’t find any traces for this subdomain in apache confs.
How can I make certificate for this domain with cerbot? And thank you.

You do have a cert for that domain - please show public cert:

[quote="aqwed11, post:11, topic:40107"]
SSLCertificateFile /etc/letsencrypt/live/

I believe the problem is with port 443 access not the cert.

The port is open
netstat -tulpn
tcp 0 0* LISTEN 1023/httpd
tcp 0 0* LISTEN 1023/httpd
and iptables is set.
OK, stuck. Donno what else to do.

It looks like you’re stlil getting HTTP instead of HTTPS on port 443.

While I don’t see anything immediately wrong with your ssl.conf, I wonder if you could first look in your Apache error log to see if Apache encountered any errors in parsing it, and in any case temporarily disable its use by causing it not to be included, to see if that clears up the problem somehow.

Hi @aqwed11,

Just a test, could you please modify your domain-le-ssl.conf file?.

Change this part:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/

To this:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
#Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/

Restart Apache and try again to connect to your https site.


The latest lines from error log, corresponding to the issue:

[Tue Aug 15 19:29:39 2017] [notice] caught SIGTERM, shutting down
[Tue Aug 15 19:29:39 2017] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Aug 15 19:29:39 2017] [notice] Digest: generating secret for digest authentication …
[Tue Aug 15 19:29:39 2017] [notice] Digest: done
[Tue Aug 15 19:29:39 2017] [notice] Apache/2.2.15 (Unix) PHP/5.6.30 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured – resuming normal operations