Error in renewal configuration file for RSAPublicKey object

jcbriar · September 29, 2022, 9:06pm

My domain is: stitch-maps.com, derbytriage.com

I ran this command: sudo certbot certificates

It produced this output:

=== to the console:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/derbytriage.com.conf produced an unexpected error: '_RSAPublicKey' object has no attribute 'verifier'. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/stitch-maps.com.conf produced an unexpected error: '_RSAPublicKey' object has no attribute 'verifier'. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/derbytriage.com.conf
  /etc/letsencrypt/renewal/stitch-maps.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

=== excerpted from /var/log/letsencrypt/letsencrypt.log:

2022-09-29 13:47:49,091:DEBUG:certbot._internal.main:certbot version: 1.21.0
2022-09-29 13:47:49,091:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-09-29 13:47:49,091:DEBUG:certbot._internal.main:Arguments: []
2022-09-29 13:47:49,091:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#
webroot)
2022-09-29 13:47:49,107:DEBUG:certbot._internal.log:Root logging level set at 30
2022-09-29 13:47:49,110:WARNING:certbot._internal.cert_manager:Renewal configuration file /etc/letsencrypt/renewal/derbytriage.com.conf produced an unexpected error: '_RSAPublicKey' object has no attribut
e 'verifier'. Skipping.
2022-09-29 13:47:49,112:DEBUG:certbot._internal.cert_manager:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/cert_manager.py", line 78, in certificates
    crypto_util.verify_renewable_cert(renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 329, in verify_renewable_cert
    verify_renewable_cert_sig(renewable_cert)
  File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 349, in verify_renewable_cert_sig
    verify_signed_payload(pk, cert.signature, cert.tbs_certificate_bytes,
  File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 373, in verify_signed_payload
    verifier = public_key.verifier(
AttributeError: '_RSAPublicKey' object has no attribute 'verifier'

[ditto for /etc/letsencrypt/renewal/stitch-maps.com.conf]

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 22.04 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

rg305 · September 29, 2022, 11:46pm

Hi @jcbriar, and welcome to the LE community forum

Can I have a look at this file?

Bruce5051 · September 29, 2022, 11:46pm

Hello @jcbriar, welcome to the Let's Encrypt community.

You have successfully been getting certificates issued for both sites for awhile now.

Has something changed? Or upgrade or new server with new install?
It looks like you are running fairly up-to-date and recent versions of software.
The reason I ask is when I Googled '_RSAPublicKey' object has no attribute 'verifier' I saw hints that the changes in going to OpenSSL 3.x had some errors like in other places.

jcbriar · September 30, 2022, 2:21am

# renew_before_expiry = 30 days
version = 1.21.0
archive_dir = /etc/letsencrypt/archive/derbytriage.com
cert = /etc/letsencrypt/live/derbytriage.com/cert.pem
privkey = /etc/letsencrypt/live/derbytriage.com/privkey.pem
chain = /etc/letsencrypt/live/derbytriage.com/chain.pem
fullchain = /etc/letsencrypt/live/derbytriage.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = [[redacted]]
authenticator = apache
installer = apache
server = https://acme-v02.api.letsencrypt.org/directory

rg305 · September 30, 2022, 2:23am

So, it doesn't seem like it has anything to do with the contents of that file.
The OpenSSL 3 seems to be the lead suspect now.
Show us:
openssl version

jcbriar · September 30, 2022, 2:24am

OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

rg305 · September 30, 2022, 2:25am

Ok, try updating to the latest certbot version [in case this has already been addressed].

jcbriar · September 30, 2022, 2:26am

Okay, I’ll give that a try tomorrow. Thanks!

Bruce5051 · September 30, 2022, 2:45pm

I don't know if this relates, as it is from October 2017, but in the search for the needle in the haystack.

Osiris · September 30, 2022, 2:51pm

Your Certbot version is too old relative to your cryptography library, which probably is more recent than version 2.1.

In cryptography version >2.1 the verifier() function was removed and in Remove use of deprecated verifier with cryptography (#9105) · certbot/certbot@267fb94 · GitHub Certbot fixed this. However, that fix was not present in version 1.21.0 of Certbot, but since version 1.22.0.

So you either need to update your Certbot to 1.22.0 or newer or downgrade your cryptography library to version 2.1 or older.

jcbriar · September 30, 2022, 10:41pm

Big thanks to rg305 and Osiris! apt install --only-upgrade certbot claimed that I had the latest certbot, but clearly apt’s repositories are out of date. Following these instructions got certbot 1.30.0 installed via snap. And now sudo certbot certificates works without complaint; yay!

system · October 30, 2022, 10:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.