I can't renew my certificate on Gentoo / Apache anymore - SSLError

Help
1

I can't renew my certificate (Expiry Date: 2021-10-03 05:52:25+00:00 (INVALID: EXPIRED)) anymore. In the past it always worked without any problems.

My domain is:
phabricator.see-me-grow.de

I ran this command:

sudo certbot --apache -d phabricator.see-me-grow.de

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 485, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib64/python3.6/site-packages/OpenSSL/SSL.py", line 1934, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib64/python3.6/site-packages/OpenSSL/SSL.py", line 1671, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib64/python3.6/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 672, in urlopen
    chunked=chunked,
  File "/usr/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/usr/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
    conn.connect()
  File "/usr/lib64/python3.6/site-packages/urllib3/connection.py", line 360, in connect
    ssl_context=context,
  File "/usr/lib64/python3.6/site-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib64/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 491, in wrap_socket
    raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 720, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/lib64/python3.6/site-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
Apache/2.4.41 (Unix)

The operating system my web server runs on is (include version):
Gentoo/Linux 2.6

My hosting provider, if applicable, is:
...

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
...

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.3.0

The following command:

curl -v -m10 https://acme-v02.api.letsencrypt.org/directory

Produced this output:

*   Trying 172.65.32.248:443...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Thank you in advance for any help.

2

If Gentoo uses APT, then try:
sudo apt update
sudo apt install libcurl3-gnutls libcurl4 ca-certificates openssl
[and see if anything updates]

3

It doesn't :wink:

@Cuze It looks like your app-misc/ca-certificates is ancient, could you verify that with us by showing the following command?

emerge -1pv app-misc/ca-certificates

1 Like
4

Here is the output:

 * Last emerge --sync was Sa 11 Apr 2020 23:05:01 CEST.

 * IMPORTANT: 7 config files in '/etc/portage' need updating.
 * See the CONFIGURATION FILES and CONFIGURATION FILES UPDATE TOOLS
 * sections of the emerge man page to learn how to update config files.

These are the packages that would be merged, in order:

Calculating dependencies... done!

!!! All ebuilds that could satisfy "app-misc/ca-certificates" have been masked.
!!! One of the following masked packages is required to complete your request:
- app-misc/ca-certificates-20190110.3.43::gentoo (masked by: package.mask)

For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.


 * IMPORTANT: 23 news items need reading for repository 'gentoo'.
 * Use eselect news read to view new items.
5

That seems like it would be "new enough" to include the "ISRG Root X1" (from 2015).
Only one way to know for sure!

6

That's the package that would be installed. However, something is wrong with the system, as that package shouldn't be masked.

@Cuze It seems your Gentoo system is not updated properly. Let's check the current version of the package first:

equery list app-misc/ca-certificates

You might need to install app-portage/gentoolkit first if you don't have the equery tool.

1 Like
7

The current version of the package:
[I--] [??] app-misc/ca-certificates-20140927.3.17.2:0

8

Well, there's your problem. An ancient root certificate store. Please fix the masked package issue you've found earlier and emerge an up to date version of ca-certificates.

Frankly, I'm worried about the state of your host. The fact you haven't synced Portage for more than a year (and thus also haven't upgraded any packages) probably means you've got lots of vulnerable packages installed.

1 Like
9

Ouch !

1 Like
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.