Renew failure - unknown error (_ssl.c:3057)

balex3000 · June 18, 2021, 1:09pm

now executed apt-get upgrade.
and after that tried to renew certificate again 'certbot renew'
but still getting the same error '... unknown error (_ssl.c:3057)'

balex3000 · June 18, 2021, 1:16pm

Here is the log from my last renewal attempt:

2021-06-18 13:13:47,654:DEBUG:certbot.main:certbot version: 0.31.0
2021-06-18 13:13:47,656:DEBUG:certbot.main:Arguments: []
2021-06-18 13:13:47,656:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-06-18 13:13:47,664:DEBUG:certbot.log:Root logging level set at 20
2021-06-18 13:13:47,665:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-06-18 13:13:47,673:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f62c5861b00> and installer <certbot.cli._Default object at 0x7f62c5861b00>
2021-06-18 13:13:47,683:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2021-06-06 19:54:10 UTC.
2021-06-18 13:13:47,683:INFO:certbot.renewal:Cert is due for renewal, auto-renewing...
2021-06-18 13:13:47,683:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2021-06-18 13:13:48,128:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7f62c5851eb8>
Prep: True
2021-06-18 13:13:48,129:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7f62c5851eb8>
Prep: True
2021-06-18 13:13:48,130:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7f62c5851eb8> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7f62c5851eb8>
2021-06-18 13:13:48,130:INFO:certbot.plugins.selection:Plugins selected: Authenticator nginx, Installer nginx
2021-06-18 13:13:48,152:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(terms_of_service=None, uri='https://acme-v02.api.letsencrypt.org/acme/acct/93612217', body=Registration(terms_of_service_agreed=None, external_account_binding=None, contact=(), agreement=None, status=None, key=None, only_return_existing=None), new_authzr_uri=None), e3a4a3ea37ce548506e4c82bd5ebee5d, Meta(creation_host='ip-172-31-46-31.eu-west-1.compute.internal', creation_dt=datetime.datetime(2020, 8, 11, 0, 22, 46, tzinfo=<UTC>)))>
2021-06-18 13:13:48,153:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-06-18 13:13:48,156:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2021-06-18 13:13:48,171:WARNING:certbot.renewal:Attempting to renew cert (balex.tech) from /etc/letsencrypt/renewal/balex.tech.conf produced an unexpected error: unknown error (_ssl.c:3057). Skipping.
2021-06-18 13:13:48,173:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 292, in ssl_wrap_socket
    context.load_verify_locations(ca_certs, ca_cert_dir)
ssl.SSLError: unknown error (_ssl.c:3057)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 266, in connect
    ssl_version=resolved_ssl_version)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 294, in ssl_wrap_socket
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: unknown error (_ssl.c:3057)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 465, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1191, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 612, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 266, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 51, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 833, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1171, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1120, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 480, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 588, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 447, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: unknown error (_ssl.c:3057)

2021-06-18 13:13:48,174:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2021-06-18 13:13:48,174:ERROR:certbot.renewal:  /etc/letsencrypt/live/balex.tech/fullchain.pem (failure)
2021-06-18 13:13:48,175:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 490, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

balex3000 · June 18, 2021, 1:19pm

I will check if I can upgrade NGINX version on the server
Thanks

Nummer378 · June 18, 2021, 2:15pm

balex3000:

2021-06-18 13:13:48,173:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 292, in ssl_wrap_socket
    context.load_verify_locations(ca_certs, ca_cert_dir)
ssl.SSLError: unknown error (_ssl.c:3057)

Looks like my guess was correct:

The error happens when trying to configure the local trust store (on Debian-like systems usually located in /etc/ssl/certs/). Maybe it's corrupted or something?

system · July 18, 2021, 2:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.