Letsencrypt-auto fails on verification of python.org certificate


#1

Hi all,

I am running a FreeNAS-9.3-STABLE machine. A jail is renewing the certificates every sunday:

git pull
/root/letsencrypt/letsencrypt-auto certonly --standalone --config “[…]/letsencrypt/cli.ini”

I just realized the certs are not being updated since, at least, jan 31. There is no error in the logs. If I run the script myself there’s no error but the certificates aren’t renewed.

I don’t know much of python but I’ve been tracking the letsencrypt-auto script:

letsencrypt-auto (with line number)
1790 # ---------------------------------------------------------------------------
1791 DeterminePythonVersion
1792 echo “$LE_PYTHON” “$TEMP_DIR/fetch.py” --latest-version
1793 REMOTE_VERSION="$LE_PYTHON" "$TEMP_DIR/fetch.py" --latest-version
1794 echo “$REMOTE_VERSION”

I get echo of line 1792 and then nothing, silent dead

python2.7 /tmp/tmp.R145nM1s/fetch.py --latest-version

If I then run this command, I get:

Couldn’t download https://pypi.python.org/pypi/letsencrypt/json. <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>

I’ve gone there and the certificate seems quite valid to me. Is there something missing in my python install?

Thank you


#2

As I understand it, recent versions of the letsencrypt client won’t renew a cert unless it has less than 30 days’ of life remaining, unless you give it the --renew-by-default flag; this could explain why it hasn’t renewed for two weeks.

Also, the letsencrypt-auto script is really intended to be used on environments for which there isn’t an available binary package, and there is one for FreeBSD–‘pkg install py27-letsencrypt’ will get it for you.


#3

Happened the same to me this afternoon.
Under Debian Jessie 8.3.
Actually, removing ca-certificates and re-installing solved the problem.

$ apt-get remove ca-certificates
$ apt-get autoremove
~/letsencrypt/letsencrypt-auto

Cheers.
Anton.


#5

Ok, so the pkg py27-letsencrypt did the trick! thank you!