Letsencrypt-auto renew failing on Ubuntu 12.10 machine


#1

A soon-to-be-retired server on Ubuntu 12.10 serves a site over HTTPS on Apache, using a letsencrypt certificate. Until this last time, certificate renewal was working fine, but now we’re getting:

  File "/tmp/tmp.AhshweMl21/pipstrap.py", line 184, in <module>
    exit(main())
  File "/tmp/tmp.AhshweMl21/pipstrap.py", line 165, in main
    for path, digest in PACKAGES]
  File "/tmp/tmp.AhshweMl21/pipstrap.py", line 120, in hashed_download
    response = opener(using_https=parsed_url.scheme == 'https').open(url)
  File "/usr/lib/python2.7/urllib2.py", line 401, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 419, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 379, in _call_chain
    result = func(*args)
  File "/usr/lib/python2.7/urllib2.py", line 1219, in https_open
    return self.do_open(httplib.HTTPSConnection, req)
  File "/usr/lib/python2.7/urllib2.py", line 1181, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [Errno 1] _ssl.c:504: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version>

My first guess is that the version of openssl installed (OpenSSL 1.0.1c 10 May 2012) is too old, and we should upgrade it, although that will mean building it from source. Before we go down that path, any guidance?


#2

Hi,

This error means the URL was visited using tls1.0, which is going to (or already) retired.

Can you try this command:
git config --global --add http.sslVersion tlsv1.2 (set tls1.2 as default)

Thank you


#3

Unfortunately, no change with that .gitconfig addition.


#4

How soon-to-be retired is this server? You may consider just manually renewing the certificate via gethttpsforfree or zerossl to save yourself the risk of upgrading openssl.

You could also try a Go-based client such as acmetool instead of Certbot, as Go implements its own modern TLS stack and does not rely on OpenSSL.

Edit: if you are using certbot-auto/letsencrypt-auto, you could also try with --no-bootstrap --no-self-upgrade, depending on which host it is that is causing you grief. I suspect it is https://pypi.python.org that is the culprit.


#5

Excellent ideas, thank you!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.