Failed to renew certificate capacitacionrueps.ieps.gob.ec with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1123)')))
I know in the past that these "HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory" errors have frequently been associated with IP address blocks. Sometimes they go unsolved or seem to mysteriously resolve themselves without explanation or followup.
I think this is one of those error messages that can result from very different causes; the last ("Caused by") part of the message is most relevant. "Certificate verify failed" errors are probably not caused by an IP address block.
I suspected as much, but wasn't entirely sure. I surmise then that this might have something to do with the local trust store being unable to verify the certificate being sent by the directory endpoint.
Agreed. Most likely DNS for acme-v02.api is going somewhere unexpected; one of its CDN nodes is serving something unexpected; or the client is using an old trust store without ISRG Root X1.
acme-v02.api is still serving a chain rooted in DST Root CA X3 for now, though of course I'm curious when it'll change to just be ISRG Root X1.
Had this server been able to connect before, but can't now? I'm assuming the problem isn't the API endpoint using the "long" chain now, though I suspect that's the only thing that's changed on the Let's Encrypt side of things in the past couple months.