OpenSSL in FIPS Mode does not have MD5 Hash Functionality Required by Certbot

My domain is:

I ran this command:
certbot --apache or certbot --apache certonly (same result)

It produced this output:
An unexpected error occurred:
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

My web server is (include version):
Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.1.11

The operating system my web server runs on is (include version):
Centos 7

My hosting provider, if applicable, is:
Amazon Web Services (for the server)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no.

May or may not be relevant: I installed certificate yesterday on another instance that was running AWS Linux. But my application framework (ASP.NET Core) is not compatible with Amazon Linux; so I launched Centos 7 instance.

Log file doesn’t seem to add much, but here is the tail:
2017-12-25 20:21:30,017:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/bin/certbot”, line 9, in
load_entry_point(‘certbot==0.19.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/”, line 861, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/”, line 770, in certonly
le_client = _init_le_client(config, auth, installer)
File “/usr/lib/python2.7/site-packages/certbot/”, line 479, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/lib/python2.7/site-packages/certbot/”, line 378, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/usr/lib/python2.7/site-packages/certbot/”, line 174, in register
acc = account.Account(regr, key)
File “/usr/lib/python2.7/site-packages/certbot/”, line 62, in init
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
2017-12-25 20:21:30,018:ERROR:certbot.log:An unexpected error occurred:

Based on this issue it looks like Certbot isn’t compatible with OpenSSL running in FIPS mode.

If you wish to continue operating in FIPS mode, perhaps you can use an alternate client like acmetool, which is not affected.

i have made the title a bit clearer in case anyone else runs in to the same problem

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.