@erglazier Sorry, been away most of the day and have not yet studied your letsencrypt log. I hope to have some time a bit later.
But, going back to my original post #2 to you I have something to try: curl -I https://acme-v02.api.letsencrypt.org
Your openssl to that endpoint worked in your OP but I recently saw a case where curl and openssl verified the chain differently. With recent chain changes openssl is usually more trouble but perhaps in your case it is not. I think curl more closely mimics what Certbot itself does in its python scripts.
Your Certbot failure still seems like a missing ISRG Root X1. Can you explicitly check whether that appears in your root store?
I also do not think upping openssl from g to k will matter.
@erglazier I have not yet looked at your log. But, I agree with Rudy and it is worth looking at python libs. IIRC you were at Certbot 1.7 which is fairly recent so unlikely a problem in it. But, another client that does not use python would be worth a try if no python updates helped.
I will still look at the logs to see if we missed something.
update on certbot,
I was able to get it all running again, the fix was to update the python pip requests package used by certbot. This I believe updated the root cert bundle certbot used, as it was failing to validate the cert on lets encrypt itself when fetching new certs. So now it can fetch new certs and distribute them. This upgrade did not update the Python3-urllib3 version
@erglazier Yes, I was just going to suggest that. I googled and found this:
Also thinking about it, it could be that there is a different cacert.pem in C:\Python27\lib\site-packages\certifi compared to C:\Python3\lib\site-packages\certifi - github.com/certifi –
Danny Cullen
It was related to the DST Root CA X3 expiration. If this was the reason it was because your python cert store also had to be updated. Both the curl and openssl verified ok the new ISRG Root X1. But, the python cert store did not have that in it. Your update of certbot seemed to refresh that cert store - as you note.
Very glad you got it sorted. Was very puzzling. I had not seen anyone with this python issue before.
Many people read through these posts sometimes desperately looking for a solution to very tough problems.
Please include the O/S+version and the exact commands used to create the "fix".
[Think SEO]
Certbot utilizes the requests library (module) in Python, for making https requests. HTTPs relies on the root CAs for the TLS/SSL chain-of-trust, to make secure requests. Normally these root CAs would be at a base level in an OS or part of a client browser, but in order to do it within Python via the requests library, the library needs the bundle of SSL Root Certificate Authorities (CAs). This older version of Python that this older version Certbot uses, did not have the new Root CA (ISRG Root X1) that Certbot now uses. Therefore, an update to the Python requests package was necessary, to get an updated Root CA bundle
This assumes that the OS running certbot already is rid of the old Root CA and has the new one.
LE has a url for testing your chain of auth called helloworld.letsencrypt.org . Use this command from your certbot server to see that the chain of auth uses the correct Root CA.
Ensure that the expired root CA ( DST Root CA X3 ) is out of the list, and the new Root CA used by LE ( ISRG Root X1 ) is in. (Google how to remove / add root CA for specific OS version)
ex.