RecursionError trying to obtain certificates

I have a 'difficult' configuration. I'm running two web servers on two different machines. Let's call them 'jeeves' and 'mail', because they are. 'jeeves' listens on port 80 and 'mail' listens on 8080.

I have been using acme.sh to obtain certs from letsencrypt for 'jeeves' and that was working fine. But the new 'mail' machine is getting its certs using CertBot.

Now, CertBot won't use port 8080, so I have to change my port forwarding in my router to send port 80 (and 443) to 'mail' instead of 'jeeves', reboot the router, and hey presto, CertBot works perfectly and gets my cert for mail.hoffmann.systems on 'mail'

Swap the router back to sending ports 80 and 443 to 'jeeves', reboot it, and try to use CertBot now (instead of acme,sh) to get new certificates for hoffmann.systems, www.hoffmann.systems and svn.hoffmann.systems, and I get that error (An unexpected error occurred: RecursionError: maximum recursion depth exceeded while calling a Python object)

Any help would be appreciated.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hoffmann.systems

I ran this command:
doas certbot --apache -d hoffmann.systems -d www.hoffmann.systems -d svn.hoffmann.systems

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
RecursionError: maximum recursion depth exceeded while calling a Python object

My web server is (include version):

[!525]$ httpd -v
Server version: Apache/2.4.51 (Unix)
Server built:   Oct  7 2021 18:28:19

The operating system my web server runs on is (include version):

[!526]$ uname -a
Linux jeeves 5.14.16-arch1-1 #1 SMP PREEMPT Tue, 02 Nov 2021 22:22:59 +0000 x86_64 GNU/Linux

My hosting provider, if applicable, is: NA

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

[!527]$ certbot --version
certbot 1.21.0

@ga2k Welcome to the community.

Well, as they say, there is a lot to unpack here :slight_smile:

First, you should use a way to manage certs that does not involve updating your router each time. You will not be able to automate the renewal of the certs. They only last for 90 days and usually renewed after 60.

There are various ways to accomplish that but let us leave that for later (and maybe someone else as I will be away shortly).

I want to address the "recursion" error. The Certbot command you used on Jeeves was --apache which both gets new certs and configures your Apache server for them. But, you already had a working https configuration from using acme.sh earlier. The Certbot certonly --webroot option would likely work better. Something like:

doas certbot certonly --webroot -w /apache/rootdir/path -d hoffmann.systems -d www.hoffmann.systems (repeat -d for the others)

Also, add --dry-run while testing that so you do not run into rate limits if it does not work. And, also add --deploy-hook "doas apachectl reload" to reload Apache after cert is issued so it sees the new cert right away.

Once that is working setup a certbot renew command in a cron to run daily.

THAT SAID, you should first fix your existing certificate chain sent by your Apache jeeves. Your chain contains an extra certificate. So, maybe fixing this allows the original certbot command to work and may be better than what I just described. Hard to say without evaluating your entire configuration. I will not guess as to why it is wrong but you need to remove the duplicate cert at the start. See this site for the cert chain you are sending:
https://decoder.link/sslchecker/hoffmann.systems/443

Update: @ga2k I just noticed your mail.hoffmann.systems chain has the same duplicate chain problem. In fact, it is the same chain file so does not seem to be the one you recently created with Certbot. Just use this domain name in the decoder.link/sslchecker page to see.

2 Likes

Taking the easy one first, I have rectified the extra certificate problem by deleting the first one out of fullchain.pem. Now that website you linked to shows no errors and that everything is great.

I think I will get jeeves to get all the certificates, and share them with mail. Then I only need CertBot to run on one machine, and I won't have to do the old router forwarding switcharoo every 60 days or so.

Once things settle down again, I'll try with CertBot on jeeves once again.

Thanks for your help Mike.

1 Like

Good that you resolved the chain but you should not need to modify fullchain manually. This will work against you automating it.

Maybe I should have asked to see your Apache conf but I am going to make a guess that you are using the "old style" Apache method of naming the certs and are just using the wrong names. With Apache 2.4.51 you should need just two:

SSLCertificateFile .../fullchain.pem
SSLCertificateKeyFile .../privkey.pem

I will guess you currently use 3 with the now-deprecated SSLCertificateChainFile. I will further guess you used cert.pem, fullchain.pem, and privkey with those 3. Normally you would use cert.pem, chain.pem, and privkey with that style (note chain, not fullchain). Best is to remove the ChainFile line and set the 2 above like I show - with the original unmodified fullchain.pem for the SSLCertificateFile.

Good plan about getting certs from Jeeves and pushing those to mail. Several methods work. Post back when you are ready for that.

2 Likes

That worked a treat. Thank-you so much.

Watta ya gonna do? Dodgy how-to's on the interwebs lead me astray. But now HTTPS is actually working on jeeves, which it wasn't until now!

Onwards and upwards!

2 Likes

Yeah, it can do that :slight_smile:

Something to ponder ... given you followed some bad advice you may have other settings that are not great. You could consider starting over with a plain default Apache setup for jeeves and let certbot install (that is, configure) it with the command you started to use (certbot --apache). That is more work now but could result in a more stable platform forward. I personally prefer certonly --webroot but I am comfortable managing my environ.

Or, at least compare your current settings to a credible configurator like the one from Mozilla. See:
https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1k&hsts=false&ocsp=false&guideline=5.6
Set the values to match your system (openssl and apache version and so on). It does not show all needed settings but the ones it shows are fair.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.