Hi,
I am facing a problem renewing the certificate on my webserver. Last renewal was on 15/2/2024 and current certificate is valid until 19/5/2024. During last renewal attempt on 15/4/2024 I am getting the following error:
Failed to renew certificate www.protodikeio-thes.gr with error: HTTPSConnectionP ool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with ur l: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE _VERIFY_FAILED] certificate verify failed: unable to get local issuer certificat e (_ssl.c:1131)')))
Details of the web server
OS Centos 7
Apache 2.4.6
Certbot 2.10.0
openssl 1.0.2
Output of commands:
certbot certficates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: www.protodikeio-thes.gr
Serial Number: 3f5fe4396c63b70452c94486b228fdc10c1
Key Type: RSA
Domains: www.protodikeio-thes.gr
Expiry Date: 2024-05-19 08:00:54+00:00 (VALID: 19 days)
Certificate Path: /etc/letsencrypt/live/www.protodikeio-thes.gr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.protodikeio-thes.gr/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 | head
depth=1 DC = local, DC = gov, DC = ddt, CN = ddt-DC1ADCCAV01-SubCA
verify error:num=20:unable to get local issuer certificate
CONNECTED(00000003)
DONE
Certificate chain
0 s:/CN=acme-v02.api.letsencrypt.org
i:/DC=local/DC=gov/DC=ddt/CN=ddt-DC1ADCCAV01-SubCA
1 s:/DC=local/DC=gov/DC=ddt/CN=ddt-DC1ADCCAV01-SubCA
i:/CN=DC1ADPKIP01-Root-CA
Server certificate
-----BEGIN CERTIFICATE-----
curl -Ik https://acme-v02.api.letsencrypt.org/directory
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 30 Apr 2024 05:00:50 GMT
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: Y_7AIQuU-MLSKvNuM6V8BRZIR5Zmzb4-WO5WmR9J81d4VnqEO0Q
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 747
Content-Type: application/json
Via: 1.1 DC1EK-VISRVWSA-05.ddt.gov.local:80 (Cisco-WSA/14.0.3-014)
Connection: keep-alive
The only thing that has changed since last successful renewal in February is WAN configuration where a peripheral security has been employed. However I applied for security removal from certain IP's (web server's including) so no ports are blocked. I am not sure if this has been done properly.
Can you check from all the above info if this is a communication error (firewall block) so I can chase it further with my provider otherwise to look locally in the server to resolve the issue.
Any help on that issue will be highly appreciated.
Thank you