I am at a loss, SSL: CERTIFICATE_VERIFY_FAILED

Server
1

OS: Centos 6.8 (latest patches as of April 14)

Summary: I have had a server hardware failure and is swapping Apache to a new server. I have had this server configured once before long time ago for a different domain than what I today. I have tried to delete all letsencrypt folders in /var/lib/, /etc, /opt/err.org. I have tried to uninstall apache, remove all folders /etc/http, /var/www etc. So right now I am at square one. All to no avail, I keep getting below error, which seems to be a python error:

[root@XXXX downloads]# ./certbot-auto --apache -d XXXX -v
Bootstrapping dependencies for RedHat-based OSes that will use Python3… (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile

  • base: ftp.crc.dk
  • epel: mirror.i3d.net
  • extras: mirror2.hs-esslingen.de
  • updates: mirror.rackspeed.de
    Package gcc-4.4.7-18.el6_9.2.i686 already installed and latest version
    Package augeas-libs-1.0.0-10.el6.i686 already installed and latest version
    Package openssl-1.0.1e-57.el6.i686 already installed and latest version
    Package openssl-devel-1.0.1e-57.el6.i686 already installed and latest version
    Package libffi-devel-3.0.5-3.2.el6.i686 already installed and latest version
    Package redhat-rpm-config-9.0.3-51.el6.centos.noarch already installed and latest version
    Package ca-certificates-2017.2.14-65.0.1.el6_9.noarch already installed and latest version
    Package python34-3.4.5-4.el6.i686 already installed and latest version
    Package python34-devel-3.4.5-4.el6.i686 already installed and latest version
    Package python34-tools-3.4.5-4.el6.i686 already installed and latest version
    Nothing to do
    WARNING: unable to check for updates.
    Creating virtual environment…
    Installing Python packages…
    Traceback (most recent call last):
    File “/usr/lib/python3.4/urllib/request.py”, line 1183, in do_open
    h.request(req.get_method(), req.selector, req.data, headers)
    File “/usr/lib/python3.4/http/client.py”, line 1137, in request
    self._send_request(method, url, body, headers)
    File “/usr/lib/python3.4/http/client.py”, line 1182, in _send_request
    self.endheaders(body)
    File “/usr/lib/python3.4/http/client.py”, line 1133, in endheaders
    self._send_output(message_body)
    File “/usr/lib/python3.4/http/client.py”, line 963, in _send_output
    self.send(msg)
    File “/usr/lib/python3.4/http/client.py”, line 898, in send
    self.connect()
    File “/usr/lib/python3.4/http/client.py”, line 1287, in connect
    server_hostname=server_hostname)
    File “/usr/lib/python3.4/ssl.py”, line 362, in wrap_socket
    _context=self)
    File “/usr/lib/python3.4/ssl.py”, line 580, in init
    self.do_handshake()
    File “/usr/lib/python3.4/ssl.py”, line 807, in do_handshake
    self._sslobj.do_handshake()
    ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/tmp/tmp.Gucwqk6bou/pipstrap.py”, line 184, in
exit(main())
File “/tmp/tmp.Gucwqk6bou/pipstrap.py”, line 165, in main
for path, digest in PACKAGES]
File “/tmp/tmp.Gucwqk6bou/pipstrap.py”, line 165, in
for path, digest in PACKAGES]
File “/tmp/tmp.Gucwqk6bou/pipstrap.py”, line 120, in hashed_download
response = opener(using_https=parsed_url.scheme == ‘https’).open(url)
File “/usr/lib/python3.4/urllib/request.py”, line 464, in open
response = self._open(req, data)
File “/usr/lib/python3.4/urllib/request.py”, line 482, in _open
‘_open’, req)
File “/usr/lib/python3.4/urllib/request.py”, line 442, in _call_chain
result = func(*args)
File “/usr/lib/python3.4/urllib/request.py”, line 1226, in https_open
context=self._context, check_hostname=self._check_hostname)
File “/usr/lib/python3.4/urllib/request.py”, line 1185, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)>

2

Can you run:

curl -X GET -I https://pypi.python.org
openssl s_client -connect pypi.python.org:443 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -modulus
ls -lah /etc/ssl/certs/ca-bundle.crt
3

I had to ctrl-c the openssl command as it would just hang and never finish.

[root@XXXX ~]# curl -X GET -I https://pypi.python.org
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
[root@XXXX ~]# openssl s_client -connect pypi.python.org:443 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -modulus
subject= /businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/C=US/ST=New Hampshire/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org
issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
Modulus=C1D4B646D5881D593B8517355380193C1D84AEA72BDAD95A81F44DCD6C604262CE543C7CC097E6A8895EBE6F2F644C4C85B95E8658E9B72E6B66F4C46009B13228E0BC76EE27CACDA203B3E8DB85D1060653D1D1A82D1F1BEFE0D41706136851857C2B09BBEB74D9BB957DE0E67E1DC3551B6662F86449F7F6FE664B4140DF6C1F80C836AE5B98CA3694CADC7100CFA55AA54C4D7C52796F87440D2DCAC14C36F2797B50A9F2D93F769E07BDA4EB5C1D5AF56E224466E6A564AADD45D7FDEACA2CB3DDE5DA8E3755EDEA9D2E01BB9A1B3CDABE4B16EBEA6953176CE96775AA9FB36338321C94921A9EFE91E895D43F5C5861BCE6E4D1772BF0DC04E46E5BD7E1
^C
[root@XXXX ~]# ls -lah /etc/ssl/certs/ca-bundle.crt
-rw-r–r--. 1 root root 431K Jan 15 2008 /etc/ssl/certs/ca-bundle.crt

4

Dang it, I have fixed it now.

I was a bit perplexed what certificate it was that wasn’t trusted.
Your questions got me on the right track.
I noticed the curl SSL error and your ls command you gave me showed where the trusted certificates was installed. When I looked in the /etc/ssl/certs/ I noticed that the intermediate certificate for python.org was in ca-bundle.crt.rpmnew and this files was almost twice as big as my existing ca-bundle.crt file. So I replaced my existing file with the ca-bundle.crt.rpmnew. SUCCESS.

I have worked more than 20 years with Linux and somehow I missed this, how about that. I learned something new today, hurra.

Thanks for taking your time to help me out.

2 Likes
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.