Error in renewal configuration file for RSAPublicKey object

My domain is: stitch-maps.com, derbytriage.com

I ran this command: sudo certbot certificates

It produced this output:

=== to the console:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/derbytriage.com.conf produced an unexpected error: '_RSAPublicKey' object has no attribute 'verifier'. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/stitch-maps.com.conf produced an unexpected error: '_RSAPublicKey' object has no attribute 'verifier'. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/derbytriage.com.conf
  /etc/letsencrypt/renewal/stitch-maps.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

=== excerpted from /var/log/letsencrypt/letsencrypt.log:

2022-09-29 13:47:49,091:DEBUG:certbot._internal.main:certbot version: 1.21.0
2022-09-29 13:47:49,091:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-09-29 13:47:49,091:DEBUG:certbot._internal.main:Arguments: []
2022-09-29 13:47:49,091:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#
webroot)
2022-09-29 13:47:49,107:DEBUG:certbot._internal.log:Root logging level set at 30
2022-09-29 13:47:49,110:WARNING:certbot._internal.cert_manager:Renewal configuration file /etc/letsencrypt/renewal/derbytriage.com.conf produced an unexpected error: '_RSAPublicKey' object has no attribut
e 'verifier'. Skipping.
2022-09-29 13:47:49,112:DEBUG:certbot._internal.cert_manager:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/cert_manager.py", line 78, in certificates
    crypto_util.verify_renewable_cert(renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 329, in verify_renewable_cert
    verify_renewable_cert_sig(renewable_cert)
  File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 349, in verify_renewable_cert_sig
    verify_signed_payload(pk, cert.signature, cert.tbs_certificate_bytes,
  File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 373, in verify_signed_payload
    verifier = public_key.verifier(
AttributeError: '_RSAPublicKey' object has no attribute 'verifier'

[ditto for /etc/letsencrypt/renewal/stitch-maps.com.conf]

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 22.04 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Hi @jcbriar, and welcome to the LE community forum

Can I have a look at this file?

Hello @jcbriar, welcome to the Let's Encrypt community.

You have successfully been getting certificates issued for both sites for awhile now.

1. crt.sh | stitch-maps.com
2. crt.sh | derbytriage.com

Has something changed? Or upgrade or new server with new install?
It looks like you are running fairly up-to-date and recent versions of software.
The reason I ask is when I Googled '_RSAPublicKey' object has no attribute 'verifier' I saw hints that the changes in going to OpenSSL 3.x had some errors like in other places.

# renew_before_expiry = 30 days
version = 1.21.0
archive_dir = /etc/letsencrypt/archive/derbytriage.com
cert = /etc/letsencrypt/live/derbytriage.com/cert.pem
privkey = /etc/letsencrypt/live/derbytriage.com/privkey.pem
chain = /etc/letsencrypt/live/derbytriage.com/chain.pem
fullchain = /etc/letsencrypt/live/derbytriage.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = [[redacted]]
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

So, it doesn't seem like it has anything to do with the contents of that file.
The OpenSSL 3 seems to be the lead suspect now.
Show us:
openssl version

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Ok, try updating to the latest certbot version [in case this has already been addressed].

Okay, I’ll give that a try tomorrow. Thanks!

I don't know if this relates, as it is from October 2017, but in the search for the needle in the haystack.

Your Certbot version is too old relative to your cryptography library, which probably is more recent than version 2.1.

In cryptography version >2.1 the verifier() function was removed and in Remove use of deprecated verifier with cryptography (#9105) · certbot/certbot@267fb94 · GitHub Certbot fixed this. However, that fix was not present in version 1.21.0 of Certbot, but since version 1.22.0.

So you either need to update your Certbot to 1.22.0 or newer or downgrade your cryptography library to version 2.1 or older.

Big thanks to rg305 and Osiris! apt install --only-upgrade certbot claimed that I had the latest certbot, but clearly apt’s repositories are out of date. Following these instructions got certbot 1.30.0 installed via snap. And now sudo certbot certificates works without complaint; yay!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.