Error creating the certificate HELP!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: unipesa.dev

I ran this command: certbot --apache

It produced this output: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 348, in _load_cert_or_req
return load_func(typ, cert_or_req_str)
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1837, in load_certificate
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('PEM routines', 'get_name', 'no start line')]
An unexpected error occurred:

My web server is (include version): apache2

The operating system my web server runs on is (include version): ubuntu 20.04

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Hi, please upgrade Certbot to the latest version. Your version is using V1 of the Let's Encrypt API which is no longer available.

@webprofusion I'm pretty sure certbot 0.40.0 has V2 capabilities (checked: since 0.26.0 ACMEv2 is the default API) and that this error is not due to the fact it tries to connect to the V1 API: why would that result in such a specific OpenSSL PEM error?

@Friday13 Please provide the contents of the certbot log from /var/log/letsencrypt/letsencrypt.log

1 Like

cat /var/log/letsencrypt/letsencrypt.log
2021-06-04 14:45:21,980:DEBUG:certbot.main:certbot version: 0.40.0
2021-06-04 14:45:21,981:DEBUG:certbot.main:Arguments: ['--apache']
2021-06-04 14:45:21,982:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-06-04 14:45:22,008:DEBUG:certbot.log:Root logging level set at 20
2021-06-04 14:45:22,008:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-06-04 14:45:22,009:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2021-06-04 14:45:22,121:DEBUG:certbot_apache.configurator:Apache version is 2.4.41
2021-06-04 14:45:22,533:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7fcbf5ab1790>
Prep: True
2021-06-04 14:45:22,535:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x7fcbf5ab1790> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7fcbf5ab1790>
2021-06-04 14:45:22,535:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2021-06-04 14:45:22,539:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/118461153', new_authzr_uri=None, terms_of_service=None), 9e3e527b5c095a9d2ee335c736f985f0, Meta(creation_dt=datetime.datetime(2021, 4, 8, 10, 33, 2, tzinfo=), creation_host='smqqbvsb3693'))>
2021-06-04 14:45:22,540:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-06-04 14:45:22,542:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-06-04 14:45:23,060:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-06-04 14:45:23,060:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Fri, 04 Jun 2021 12:45:22 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"Uq1sYyCF1d0": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-06-04 14:45:25,207:ERROR:certbot.crypto_util:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 348, in _load_cert_or_req
return load_func(typ, cert_or_req_str)
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1837, in load_certificate
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('PEM routines', 'get_name', 'no start line')]
2021-06-04 14:45:25,209:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1128, in run
should_get_cert, lineage = _find_cert(config, domains, certname)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 287, in _find_cert
action, lineage = _find_lineage_for_domains_and_certname(config, domains, certname)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 314, in _find_lineage_for_domains_and_certname
return _find_lineage_for_domains(config, domains)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 257, in _find_lineage_for_domains
ident_names_cert, subset_names_cert = cert_manager.find_duplicative_certs(config, domains)
File "/usr/lib/python3/dist-packages/certbot/cert_manager.py", line 167, in find_duplicative_certs
return _search_lineages(config, update_certs_for_domain_matches, (None, None))
File "/usr/lib/python3/dist-packages/certbot/cert_manager.py", line 387, in _search_lineages
rv = func(candidate_lineage, rv, *args)
File "/usr/lib/python3/dist-packages/certbot/cert_manager.py", line 155, in update_certs_for_domain_matches
candidate_names = set(candidate_lineage.names())
File "/usr/lib/python3/dist-packages/certbot/storage.py", line 880, in names
return crypto_util.get_names_from_cert(f.read())
File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 395, in get_names_from_cert
return _get_names_from_cert_or_req(
File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 376, in _get_names_from_cert_or_req
loaded_cert_or_req = _load_cert_or_req(cert_or_req, load_func, typ)
File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 348, in _load_cert_or_req
return load_func(typ, cert_or_req_str)
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1837, in load_certificate
_raise_current_error()
File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('PEM routines', 'get_name', 'no start line')]
2021-06-04 14:45:25,211:ERROR:certbot.log:An unexpected error occurred:

Thanks yes you're right, this seems to be a problem reading the account key.

1 Like

How to fix it? previously, there was no problem, now there are about 12 active certificates. We need to request more, but we can't.

I think the function get_names_from_cert() gives away it isn't related to the account key, but related to a certificate (or CSR), perhaps an existing certificate or the CSR for a new cert.

@Friday13 Could you tell us when this error occurs? Could you please give us the exact output of the command certbot --apache you ran earlier? So including all the choices you've made during that time.

It's unfortunate the certbot log doesn't tell us which certificate or CSR is to blame..

It's possible that a certificate file has been deleted and certbot is trying to load the certificate details to see if it should be renewed, but failing. I really would suggest upgrading to the latest certbot you can, that way we can cross reference the error message to current lines of code.

Does sudo certbot del**** [command edited as not safe] list any certificates that you may have recently removed from the file system? If so you could delete them properly using that command.

You could also view the code at the v0.40.0 tag: GitHub - certbot/certbot at v0.40.0

Note that running that command before a certain certbot version could instantaneously deletes ALL certificates without warning when enter is simply pressed at the question about which certificates are to be deleted!!! So don't press enter! (I added a confirmation request back in October 2020 to version v1.10.0 to make accidentally deleting certs a little bit harder..)

Also, I'm not sure how certbot delete would be more helpfull than using certbot certificates?

1 Like

Thanks, did not know that! Ok, so don't do that then :slight_smile:

@Friday13 if you do want to try out different upgrades etc the safest method is to snapshot your virtual machine and create a new instance to test with, that way you can safely run and commands or upgrades and rollback if there is a problem.

Once you have the steps worked out you can then perform them on your real server.

1 Like

After the command cert bat --apache, a list of domains appears, I select a new domain for which the certificate was not taken. It also returns an error on the old ones.

certbot --apache and certbot delete, returns a list of domains

Does the following command work? Please paste its entire output here:

certbot certificates

I think one of the previously issued certificates is broken, hopefully this command tells us which.

root@unipesa-dev:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
verifying the signature of the cert located at /etc/letsencrypt/live/api.lev.unipesa.dev/cert.pem has failed. Details: Unable to load certificate. See Frequently asked questions — Cryptography 35.0.0.dev1 documentation for more details.
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 236, in verify_renewable_cert_sig
cert = x509.load_pem_x509_certificate(cert_file.read(), default_backend())
File "/usr/lib/python3/dist-packages/cryptography/x509/base.py", line 52, in load_pem_x509_certificate
return backend.load_pem_x509_certificate(data)
File "/usr/lib/python3/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 1213, in load_pem_x509_certificate
raise ValueError(
ValueError: Unable to load certificate. See Frequently asked questions — Cryptography 35.0.0.dev1 documentation for more details.
Renewal configuration file /etc/letsencrypt/renewal/api.lev.unipesa.dev.conf produced an unexpected error: verifying the signature of the cert located at /etc/letsencrypt/live/api.lev.unipesa.dev/cert.pem has failed. Details: Unable to load certificate. See Frequently asked questions — Cryptography 35.0.0.dev1 documentation for more details.. Skipping.


Found the following certs:
Certificate Name: api.andrey.unipesa.dev
Domains: api.andrey.unipesa.dev api.lev.unipesa.dev api.muz.unipesa.dev www.api.andrey.unipesa.dev www.api.lev.unipesa.dev www.api.muz.unipesa.dev
Expiry Date: 2021-08-17 13:59:59+00:00 (VALID: 70 days)
Certificate Path: /etc/letsencrypt/live/api.andrey.unipesa.dev/fullchain.pem
Private Key Path: /etc/letsencrypt/live/api.andrey.unipesa.dev/privkey.pem
Certificate Name: api.muz.unipesa.dev
Domains: api.muz.unipesa.dev
Expiry Date: 2021-08-17 14:17:58+00:00 (VALID: 70 days)
Certificate Path: /etc/letsencrypt/live/api.muz.unipesa.dev/fullchain.pem
Private Key Path: /etc/letsencrypt/live/api.muz.unipesa.dev/privkey.pem
Certificate Name: api.unipesa.dev
Domains: api.unipesa.dev
Expiry Date: 2021-07-25 14:19:17+00:00 (VALID: 47 days)
Certificate Path: /etc/letsencrypt/live/api.unipesa.dev/fullchain.pem
Private Key Path: /etc/letsencrypt/live/api.unipesa.dev/privkey.pem
Certificate Name: backoffice-api.unipesa.dev
Domains: backoffice-api.unipesa.dev
Expiry Date: 2021-07-25 14:20:04+00:00 (VALID: 47 days)
Certificate Path: /etc/letsencrypt/live/backoffice-api.unipesa.dev/fullchain.pem
Private Key Path: /etc/letsencrypt/live/backoffice-api.unipesa.dev/privkey.pem
Certificate Name: backoffice.unipesa.dev
Domains: backoffice.unipesa.dev
Expiry Date: 2021-08-09 06:59:14+00:00 (VALID: 62 days)
Certificate Path: /etc/letsencrypt/live/backoffice.unipesa.dev/fullchain.pem
Private Key Path: /etc/letsencrypt/live/backoffice.unipesa.dev/privkey.pem
Certificate Name: site.unipesa.dev
Domains: site.unipesa.dev
Expiry Date: 2021-07-25 13:21:22+00:00 (VALID: 47 days)
Certificate Path: /etc/letsencrypt/live/site.unipesa.dev/fullchain.pem
Private Key Path: /etc/letsencrypt/live/site.unipesa.dev/privkey.pem
Certificate Name: sms.unipesa.dev
Domains: sms.unipesa.dev
Expiry Date: 2021-08-04 06:29:38+00:00 (VALID: 57 days)
Certificate Path: /etc/letsencrypt/live/sms.unipesa.dev/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sms.unipesa.dev/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/api.lev.unipesa.dev.conf


Gotcha! So it seems /etc/letsencrypt/live/api.lev.unipesa.dev/cert.pem is broken. Could you share its contents? cert.pem is publicly published anyway, but privkey.pem should be kept private at all times!

Although I still find it weird certbot --apache crashes entirely.. But you're using a very old version of certbot, perhaps it has been fixed in later versions. But first, let us fix your current setup.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.