Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
Hello @Sholpanov, welcome to the Let's Encrypt community. 
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Thank you for assisting us in helping YOU!
2 Likes
domain atyrau.112.kz
server nginx
OS Ubuntu 22.04.1 LTS
certbot 2.5.0
1 Like
Please share
1 Like
2023-04-16 23:08:49,204:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2023-04-16 23:08:49,438:DEBUG:certbot._internal.main:certbot version: 2.5.0
2023-04-16 23:08:49,439:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2913/bin/certbot
2023-04-16 23:08:49,439:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2023-04-16 23:08:49,439:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-04-16 23:08:49,449:DEBUG:certbot._internal.log:Root logging level set at 30
2023-04-16 23:08:49,450:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2023-04-16 23:08:49,455:DEBUG:certbot.plugins.util:Failed to find executable apache2ctl in PATH: /snap/certbot/2913/bin:/snap/certbot/2913/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
2023-04-16 23:08:49,455:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#apache): Cannot find Apache executable apache2ctl
Traceback (most recent call last):
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 111, in prepare
self._initialized.prepare()
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 358, in prepare
self._verify_exe_availability(self.options.ctl)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 476, in _verify_exe_availability
raise errors.NoInstallationError(
certbot.errors.NoInstallationError: Cannot find Apache executable apache2ctl
2023-04-16 23:08:49,639:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f50753798e0>
Prep: True
2023-04-16 23:08:49,640:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f50753798e0> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f50753798e0>
2023-04-16 23:08:49,640:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2023-04-16 23:08:59,144:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-04-16 23:08:59,146:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-04-16 23:08:59,961:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/connectionpool.py", line 703, in urlopen
httplib_response = self._make_request(
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/connectionpool.py", line 386, in _make_request
self._validate_conn(conn)
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1042, in validate_conn
conn.connect()
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/connection.py", line 414, in connect
self.sock = ssl_wrap_socket(
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/util/ssl.py", line 449, in ssl_wrap_socket
ssl_sock = ssl_wrap_socket_impl(
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/util/ssl.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/snap/certbot/2913/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/snap/certbot/2913/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/snap/certbot/2913/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/snap/certbot/2913/lib/python3.8/site-packages/requests/adapters.py", line 489, in send
resp = conn.urlopen(
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/connectionpool.py", line 787, in urlopen
retries = retries.increment(
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/util/retry.py", line 592, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/snap/certbot/2913/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 1440, in run
le_client = _init_le_client(config, authenticator, installer)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 830, in _init_le_client
acc, acme = _determine_account(config)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 738, in _determine_account
acc, acme = client.register(
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/client.py", line 207, in register
acme = acme_from_config_key(config, key)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key
directory = acme_client.ClientV2.get_directory(config.server, net)
File "/snap/certbot/2913/lib/python3.8/site-packages/acme/client.py", line 331, in get_directory
return messages.Directory.from_json(net.get(url).json())
File "/snap/certbot/2913/lib/python3.8/site-packages/acme/client.py", line 706, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/snap/certbot/2913/lib/python3.8/site-packages/acme/client.py", line 648, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/snap/certbot/2913/lib/python3.8/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/snap/certbot/2913/lib/python3.8/site-packages/requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/snap/certbot/2913/lib/python3.8/site-packages/requests/adapters.py", line 563, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
2023-04-16 23:08:59,963:ERROR:certbot._internal.log:An unexpected error occurred:
2023-04-16 23:08:59,964:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get
Would you show what this does?
curl -I https://google.com
3 Likes
curl -I https://google.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
2023-04-16 23:08:49,204:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2023-04-16 23:08:49,438:DEBUG:certbot._internal.main:certbot version: 2.5.0
2023-04-16 23:08:49,439:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/2913/bin/certbot
2023-04-16 23:08:49,439:DEBUG:certbot._internal.main:Arguments: ['--preconfigured-renewal']
2023-04-16 23:08:49,439:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2023-04-16 23:08:49,449:DEBUG:certbot._internal.log:Root logging level set at 30
2023-04-16 23:08:49,450:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2023-04-16 23:08:49,455:DEBUG:certbot.plugins.util:Failed to find executable apache2ctl in PATH: /snap/certbot/2913/bin:/snap/certbot/2913/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
2023-04-16 23:08:49,455:DEBUG:certbot._internal.plugins.disco:No installation (PluginEntryPoint#apache): Cannot find Apache executable apache2ctl
Traceback (most recent call last):
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 111, in prepare
self._initialized.prepare()
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 358, in prepare
self._verify_exe_availability(self.options.ctl)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot_apache/_internal/configurator.py", line 476, in _verify_exe_availability
raise errors.NoInstallationError(
certbot.errors.NoInstallationError: Cannot find Apache executable apache2ctl
2023-04-16 23:08:49,639:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: Authenticator, Installer, Plugin
Entry point: nginx = certbot_nginx._internal.configurator:NginxConfigurator
Initialized: <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f50753798e0>
Prep: True
2023-04-16 23:08:49,640:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f50753798e0> and installer <certbot_nginx._internal.configurator.NginxConfigurator object at 0x7f50753798e0>
2023-04-16 23:08:49,640:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2023-04-16 23:08:59,144:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2023-04-16 23:08:59,146:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2023-04-16 23:08:59,961:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/connectionpool.py", line 703, in urlopen
httplib_response = self._make_request(
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/connectionpool.py", line 386, in _make_request
self._validate_conn(conn)
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1042, in validate_conn
conn.connect()
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/connection.py", line 414, in connect
self.sock = ssl_wrap_socket(
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/util/ssl.py", line 449, in ssl_wrap_socket
ssl_sock = ssl_wrap_socket_impl(
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/util/ssl.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/snap/certbot/2913/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/snap/certbot/2913/usr/lib/python3.8/ssl.py", line 1040, in _create
self.do_handshake()
File "/snap/certbot/2913/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/snap/certbot/2913/lib/python3.8/site-packages/requests/adapters.py", line 489, in send
resp = conn.urlopen(
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/connectionpool.py", line 787, in urlopen
retries = retries.increment(
File "/snap/certbot/2913/lib/python3.8/site-packages/urllib3/util/retry.py", line 592, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/snap/certbot/2913/bin/certbot", line 8, in
sys.exit(main())
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 1864, in main
return config.func(config, plugins)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 1440, in run
le_client = _init_le_client(config, authenticator, installer)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 830, in _init_le_client
acc, acme = _determine_account(config)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/main.py", line 738, in _determine_account
acc, acme = client.register(
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/client.py", line 207, in register
acme = acme_from_config_key(config, key)
File "/snap/certbot/2913/lib/python3.8/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key
directory = acme_client.ClientV2.get_directory(config.server, net)
File "/snap/certbot/2913/lib/python3.8/site-packages/acme/client.py", line 331, in get_directory
return messages.Directory.from_json(net.get(url).json())
File "/snap/certbot/2913/lib/python3.8/site-packages/acme/client.py", line 706, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/snap/certbot/2913/lib/python3.8/site-packages/acme/client.py", line 648, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/snap/certbot/2913/lib/python3.8/site-packages/requests/sessions.py", line 587, in request
resp = self.send(prep, **send_kwargs)
File "/snap/certbot/2913/lib/python3.8/site-packages/requests/sessions.py", line 701, in send
r = adapter.send(request, **kwargs)
File "/snap/certbot/2913/lib/python3.8/site-packages/requests/adapters.py", line 563, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)')))
2023-04-16 23:08:59,963:ERROR:certbot._internal.log:An unexpected error occurred:
2023-04-16 23:08:59,964:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get
You get the same problem connecting to google as you are when trying to connect to Let's Encrypt ACME server. This is not a problem unique to Let's Encrypt and you can stop trying to get certs until this is fixed.
One possible cause is that something is wrong with your O/S CA Certificate Store. I thought you might have an old O/S but Ubuntu 22 is fairly recent. So, I'm not sure what could damage it.
What does this show:
curl -v https://acme-v02.api.letsencrypt.org
3 Likes
- Trying 172.65.32.248:443...
- Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- CAfile: /etc/ssl/certs/ca-certificates.crt
- CApath: /etc/ssl/certs
- TLSv1.0 (OUT), TLS header, Certificate Status (22):
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.2 (IN), TLS header, Certificate Status (22):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS header, Finished (20):
- TLSv1.2 (IN), TLS header, Supplemental data (23):
- TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
- TLSv1.2 (IN), TLS header, Supplemental data (23):
- TLSv1.3 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (OUT), TLS header, Unknown (21):
- TLSv1.3 (OUT), TLS alert, unknown CA (560):
- SSL certificate problem: unable to get local issuer certificate
- Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Thanks. Now what does this show?
ls -l /etc/ssl/certs | grep ISRG
And this:
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
3 Likes
root@atyrau-nginx-61:/home/kansible# ls -l /etc/ssl/certs | grep ISRG
lrwxrwxrwx 1 root root 16 Jul 12 2022 4042bcee.0 -> ISRG_Root_X1.pem
lrwxrwxrwx 1 root root 51 Jul 12 2022 ISRG_Root_X1.pem -> /usr/share/ca-certificates/mozilla/ISRG_Root_X1.crt
1 Like
depth=1 C = KZ, ST = Astana, L = Astana, O = State Technical Service, OU = HQ, CN = USIAG Intermediate March, emailAddress = support@sts.kz
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
CONNECTED(00000003)
Certificate chain
0 s:CN = acme-v02.api.letsencrypt.org
i:C = KZ, ST = Astana, L = Astana, O = State Technical Service, OU = HQ, CN = USIAG Intermediate March, emailAddress = support@sts.kz
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 7 18:47:54 2023 GMT; NotAfter: Jun 5 18:47:53 2023 GMT
1 s:C = KZ, ST = Astana, L = Astana, O = State Technical Service, OU = HQ, CN = USIAG Intermediate March, emailAddress = support@sts.kz
i:C = KZ, ST = Nur-Sultan, O = State Technical Service, OU = HQ, CN = Unified State Internet Access Gateway, emailAddress = support@sts.kz
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
DONE
1 Like
That's the problem. When you make connections from your server outbound to others it is being blocked by what looks like a firewall being run by State Technical Service.
Does Astana or USIAG or sts.kz mean anything to you?
EDIT: Also, what does this show?
curl -Ik https://acme-v02.api.letsencrypt.org/directory
3 Likes
HTTP/2 200
server: nginx
date: Sun, 16 Apr 2023 18:42:56 GMT
content-type: application/json
content-length: 756
cache-control: public, max-age=0, no-cache
replay-nonce: 2712jtUw_n1Duap-JE5wHdSr4LWKq1QXIK8lsHXQg9nCGh8
x-frame-options: DENY
strict-transport-security: max-age=604800
OK. The firewall is not fully blocking access it is just inspecting everything. The -k switch said to ignore security problems and try to connect anyway and that worked.
There is a way to get a certificate insecurely but it is highly discouraged. Especially if you do not know what is inspecting your requests.
Do you know who that is?
3 Likes
i dont know but how to get certficate insecure
i dont know how inspect, but how get certificate insecure
What's " KAZAKHSTAN'S CYBERSHIELD"? Saw it on Государственная Техническая Служба from the certificate used to man-in-the-middle your connections.
Mayby it's youw own goverment? I dunno, I've never heard of the CyberShield before.
4 Likes
it is goverment technical service
i dont want ask them or call them everythink