Letsencrypt-auto renew failing on Ubuntu 12.10 machine

xof · April 27, 2018, 8:12pm

A soon-to-be-retired server on Ubuntu 12.10 serves a site over HTTPS on Apache, using a letsencrypt certificate. Until this last time, certificate renewal was working fine, but now we’re getting:

  File "/tmp/tmp.AhshweMl21/pipstrap.py", line 184, in <module>
    exit(main())
  File "/tmp/tmp.AhshweMl21/pipstrap.py", line 165, in main
    for path, digest in PACKAGES]
  File "/tmp/tmp.AhshweMl21/pipstrap.py", line 120, in hashed_download
    response = opener(using_https=parsed_url.scheme == 'https').open(url)
  File "/usr/lib/python2.7/urllib2.py", line 401, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 419, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 379, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1219, in https_open
    return self.do_open(httplib.HTTPSConnection, req)
  File "/usr/lib/python2.7/urllib2.py", line 1181, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 1] _ssl.c:504: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version>

My first guess is that the version of openssl installed (OpenSSL 1.0.1c 10 May 2012) is too old, and we should upgrade it, although that will mean building it from source. Before we go down that path, any guidance?

stevenzhu · April 27, 2018, 8:16pm

Hi,

This error means the URL was visited using tls1.0, which is going to (or already) retired.

Can you try this command:
git config --global --add http.sslVersion tlsv1.2 (set tls1.2 as default)

Thank you

xof · April 27, 2018, 8:39pm

Unfortunately, no change with that .gitconfig addition.

_az · April 27, 2018, 9:35pm

How soon-to-be retired is this server? You may consider just manually renewing the certificate via gethttpsforfree or zerossl to save yourself the risk of upgrading openssl.

You could also try a Go-based client such as acmetool instead of Certbot, as Go implements its own modern TLS stack and does not rely on OpenSSL.

Edit: if you are using certbot-auto/letsencrypt-auto, you could also try with --no-bootstrap --no-self-upgrade, depending on which host it is that is causing you grief. I suspect it is https://pypi.python.org that is the culprit.

xof · May 2, 2018, 12:02am

Excellent ideas, thank you!

system · June 1, 2018, 12:02am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.