After an OS reinstall (Ubuntu 16.04) I can't get letsencrypt to work. After specifying my apache domains and typing in my email, letsencrypt crashes with:
2016-10-11 17:11:11,676:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-10-11 17:11:11,687:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-10-11 17:11:11,688:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
2016-10-11 17:11:11,688:DEBUG:letsencrypt.cli:Arguments:
2016-10-11 17:11:11,689:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-10-11 17:11:11,698:DEBUG:letsencrypt.cli:Requested authenticator None and installer None
2016-10-11 17:11:12,438:DEBUG:letsencrypt.display.ops:Single candidate plugin: * apache
Description: Apache Web Server - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = letsencrypt_apache.configurator:ApacheConfigurator
Initialized: <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7fc06d73ab90>
Prep: True
2016-10-11 17:11:12,439:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7fc06d73ab90> and installer <letsencrypt_apache.configurator.ApacheConfigurator object at 0x7fc06d73ab90>
2016-10-11 17:11:18,798:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-10-11 17:11:18,803:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-10-11 17:11:18,904:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/letsencrypt", line 9, in
load_entry_point('letsencrypt==0.4.1', 'console_scripts', 'letsencrypt')()
File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1986, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 660, in run
le_client = _init_le_client(config, authenticator, installer)
File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 206, in _init_le_client
acc, acme = _determine_account(config)
File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 191, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 116, in register
acme = acme_from_config_key(config, key)
File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 41, in acme_from_config_key
return acme_client.Client(config.server, key=key, net=net)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 63, in init
self.net.get(directory).json())
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 627, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python2.7/dist-packages/acme/client.py", line 609, in _send_request
response = requests.request(method, url, *args, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 53, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 468, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 447, in send
raise SSLError(e, request=request)
SSLError: unknown error (_ssl.c:2831)
I believe the SSL error is because any attempt to access letsencrypt.org using curl fails:
$ curl https://helloworld.letsencrypt.org
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: curl - SSL CA Certificates
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
should I be adding some certificate to my ca-certificates.crt? I've tried dpkg-reconfigure ca-certificates and update-ca-certificates and see no change...