Letsencrypt crashes because curl can't access letsencrypt.org


#1

After an OS reinstall (Ubuntu 16.04) I can’t get letsencrypt to work. After specifying my apache domains and typing in my email, letsencrypt crashes with:

2016-10-11 17:11:11,676:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-10-11 17:11:11,687:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-11 17:11:11,688:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
2016-10-11 17:11:11,688:DEBUG:letsencrypt.cli:Arguments: []
2016-10-11 17:11:11,689:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-10-11 17:11:11,698:DEBUG:letsencrypt.cli:Requested authenticator None and installer None
2016-10-11 17:11:12,438:DEBUG:letsencrypt.display.ops:Single candidate plugin: * apache
Description: Apache Web Server - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = letsencrypt_apache.configurator:ApacheConfigurator
Initialized: <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7fc06d73ab90>
Prep: True
2016-10-11 17:11:12,439:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7fc06d73ab90> and installer <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7fc06d73ab90>
2016-10-11 17:11:18,798:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-10-11 17:11:18,803:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-11 17:11:18,904:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/letsencrypt”, line 9, in
load_entry_point(‘letsencrypt==0.4.1’, ‘console_scripts’, ‘letsencrypt’)()
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 1986, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 660, in run
le_client = _init_le_client(config, authenticator, installer)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 206, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/lib/python2.7/dist-packages/letsencrypt/cli.py”, line 191, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 116, in register
acme = acme_from_config_key(config, key)
File “/usr/lib/python2.7/dist-packages/letsencrypt/client.py”, line 41, in acme_from_config_key
return acme_client.Client(config.server, key=key, net=net)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 63, in init
self.net.get(directory).json())
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 627, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 609, in _send_request
response = requests.request(method, url, *args, **kwargs)
File “/usr/lib/python2.7/dist-packages/requests/api.py”, line 53, in request
return session.request(method=method, url=url, **kwargs)
File “/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 468, in request
resp = self.send(prep, **send_kwargs)
File “/usr/lib/python2.7/dist-packages/requests/sessions.py”, line 576, in send
r = adapter.send(request, **kwargs)
File “/usr/lib/python2.7/dist-packages/requests/adapters.py”, line 447, in send
raise SSLError(e, request=request)
SSLError: unknown error (_ssl.c:2831)

I believe the SSL error is because any attempt to access letsencrypt.org using curl fails:

$ curl https://helloworld.letsencrypt.org
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

should I be adding some certificate to my ca-certificates.crt? I’ve tried dpkg-reconfigure ca-certificates and update-ca-certificates and see no change…


#2

helloworld.letsencrypt.org is not an appropriate site to test connectivity to Let’s Encrypt’s CA server.

Try curling https://acme-v01.api.letsencrypt.org/directory, possibly adding -v as well to see some debug output.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.