Lego: Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory

wtaochange · November 12, 2021, 8:54pm

I ran this command:
lego --email="hide here" --domains="lnp.prodosec.com" --path="/etc/lego" renew
(this work 3 month ago)

It produced this output:

2021/11/12 20:25:34 Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get
"https://acme-v02.api.letsencrypt.org/directory": x509: certificate signed by unknown authority

My web server is (include version):
Server version: Apache/2.4.18 (Unix)

The operating system my web server runs on is (include version):
Debian GNU/Linux 7 (wheezy)

My hosting provider, if applicable, is:
google cloud

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
yes, Joomla! 3.2.7

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

lego version 4.0.1 linux/amd64

what I have tried:

thank you for any suggestions.

rg305 · November 12, 2021, 9:03pm

Hi @wtaochange and welcome to the LE community forum

That's a decent amount of troubleshooting and detail - thanks for those.
What shows?:
openssl version
apt update ca-certificates

wtaochange · November 12, 2021, 9:06pm

openssl version

OpenSSL 1.0.1q 3 Dec 2015

rg305 · November 12, 2021, 9:06pm

That's problematic.
Can you update OpenSSL?

And please show the output of:
apt update ca-certificates

wtaochange · November 12, 2021, 9:07pm

thank you for the fast response, will try

_az · November 12, 2021, 9:07pm

This would be a potential solution, except Debian Wheezy is very old and unmaintained.

You should really, really, really, upgrade to a maintained version of Debian.

You can try to work around this by manually trusting ISRG Root X1:

curl -k -o /usr/local/share/ca-certificates/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
update-ca-certificates

then try lego again.

wtaochange · November 12, 2021, 9:13pm

added,
ls -l /usr/local/share/ca-certificates/
total 4
-rw-r--r-- 1 root staff 1939 Nov 12 21:10 isrgrootx1.crt

update-ca-certificates
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....done.

no difference

_az · November 12, 2021, 9:15pm

Strange. Worked when I tried it in on a Wheezy image just now.

Does curl work?

curl https://acme-v02.api.letsencrypt.org/directory

wtaochange · November 12, 2021, 9:21pm

sorry, your suggestion is the solution

lego --http --email="hide" --domains="lnp.prod
osec.com" --path="/etc/lego" renew

in above command, I miss --http before, now renew workings,

thank you very much!

system · December 12, 2021, 9:22pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.