I can't renew my certificate on Gentoo / Apache anymore - SSLError

I can't renew my certificate (Expiry Date: 2021-10-03 05:52:25+00:00 (INVALID: EXPIRED)) anymore. In the past it always worked without any problems.

My domain is:
phabricator.see-me-grow.de

I ran this command:

sudo certbot --apache -d phabricator.see-me-grow.de

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 485, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib64/python3.6/site-packages/OpenSSL/SSL.py", line 1934, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib64/python3.6/site-packages/OpenSSL/SSL.py", line 1671, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib64/python3.6/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 672, in urlopen
    chunked=chunked,
  File "/usr/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/usr/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 994, in _validate_conn
    conn.connect()
  File "/usr/lib64/python3.6/site-packages/urllib3/connection.py", line 360, in connect
    ssl_context=context,
  File "/usr/lib64/python3.6/site-packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib64/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 491, in wrap_socket
    raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib64/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/usr/lib64/python3.6/site-packages/urllib3/connectionpool.py", line 720, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/lib64/python3.6/site-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version):
Apache/2.4.41 (Unix)

The operating system my web server runs on is (include version):
Gentoo/Linux 2.6

My hosting provider, if applicable, is:
...

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
...

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.3.0

The following command:

curl -v -m10 https://acme-v02.api.letsencrypt.org/directory

Produced this output:

*   Trying 172.65.32.248:443...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Thank you in advance for any help.

If Gentoo uses APT, then try:
sudo apt update
sudo apt install libcurl3-gnutls libcurl4 ca-certificates openssl
[and see if anything updates]

It doesn't :wink:

@Cuze It looks like your app-misc/ca-certificates is ancient, could you verify that with us by showing the following command?

emerge -1pv app-misc/ca-certificates

1 Like

Here is the output:

 * Last emerge --sync was Sa 11 Apr 2020 23:05:01 CEST.

 * IMPORTANT: 7 config files in '/etc/portage' need updating.
 * See the CONFIGURATION FILES and CONFIGURATION FILES UPDATE TOOLS
 * sections of the emerge man page to learn how to update config files.

These are the packages that would be merged, in order:

Calculating dependencies... done!

!!! All ebuilds that could satisfy "app-misc/ca-certificates" have been masked.
!!! One of the following masked packages is required to complete your request:
- app-misc/ca-certificates-20190110.3.43::gentoo (masked by: package.mask)

For more information, see the MASKED PACKAGES section in the emerge
man page or refer to the Gentoo Handbook.


 * IMPORTANT: 23 news items need reading for repository 'gentoo'.
 * Use eselect news read to view new items.

That seems like it would be "new enough" to include the "ISRG Root X1" (from 2015).
Only one way to know for sure!

That's the package that would be installed. However, something is wrong with the system, as that package shouldn't be masked.

@Cuze It seems your Gentoo system is not updated properly. Let's check the current version of the package first:

equery list app-misc/ca-certificates

You might need to install app-portage/gentoolkit first if you don't have the equery tool.

1 Like

The current version of the package:
[I--] [??] app-misc/ca-certificates-20140927.3.17.2:0

Well, there's your problem. An ancient root certificate store. Please fix the masked package issue you've found earlier and emerge an up to date version of ca-certificates.

Frankly, I'm worried about the state of your host. The fact you haven't synced Portage for more than a year (and thus also haven't upgraded any packages) probably means you've got lots of vulnerable packages installed.

1 Like

Ouch !

1 Like