Getting certbot to trust non_public CA Cert Chain on Windows

Hi All,

Wondering how to get certbot to trust my non public CA cert chain on Windows. I have installed the cert chain under Trusted Root Certificate Authorites on my Windows server but still get the following error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='', port=443): Max retries exceeded with url: /acme/ajceg621/ecsaj000102~sub37603/acme_profile/directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1125)')))e[0m

The only way I can get this to work is is I add the "--no-verify-ssl" to the command.

Anyone have ideas?

You could use the REQUESTS_CA_BUNDLE environment variable to provide your own list of trusted CA certificates.

1 Like

Hi @teamjanlil and welcome to the LE community forum :slight_smile:

I'm generally NOT easily confused...
But this topic has me confused; because certbot only needs to communicate securely with LE and that should never be done through anything that would require a locally added intermediate chain or root.
So I fail to understand how that error message is being thrown by certbot. But I do see that --no-verify-ssl is a valid certbot parameter.
If you are somehow proxying all outbound requests [MITM] and expecting certbot to trust your system for requests to LE, then I can see why that would be a problem.

Based on the context and URL, this looks to me like this user is running a custom ACME server and points certbot to that, so no LE involved.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.