Renewal failing due to certificate verify failed error

Hello, I have almost the same error. Is it possible, there is blocked my IP 89.248.250.18?

Attempting to renew cert (ondrahk.hkfree.org) from /etc/letsencrypt/renewal/ondrahk.hkfree.org.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ondrahk.hkfree.org/fullchain.pem (failure)

Thank you. very much.
Ondrej

@ondrahk This is a different error. Your error states "certificate verify failed" and not a handshake issue. I'm going to move your post to its own thread, so it will be picked up more easily by the Community volunteers.

Also, in the #help section you would have been presented with a questionnaire when starting a new thread. See below. Could you please answer all the questions to the best of your knowledge? Some might already be given in your first post, but please repeat the answers for clearity in the questionnaire. Thanks!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

My domain is: ondrahk.hkfree.org

I ran this command: certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/ondrahk.hkfree.org.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Attempting to renew cert (ondrahk.hkfree.org) from /etc/letsencrypt/renewal/ondrahk.hkfree.org.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ondrahk.hkfree.org/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ondrahk.hkfree.org/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version):Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is: no provider...community server

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Hi @ondrahk and welcome to the LE community forum

Please show the output of:
openssl version
apt list | grep certifi
curl --version

Hello and thank you.

OpenSSL 1.1.1

ca-certificates/bionic-updates,bionic-updates,bionic-security,bionic-security,now 20210119~18.04.2 all [instalovaný]
ca-certificates-java/bionic-updates,bionic-updates,now 20180516ubuntu1~18.04.1 all [instalovaný,automaticky]
ca-certificates-mono/bionic,bionic 4.6.2.7+dfsg-1ubuntu1 all [zbytkové-konfigurační-coubory]
fusiondirectory-plugin-certificates/bionic-updates,bionic-updates 1.0.19-1ubuntu0.18.04.1 all
golang-github-google-certificate-transparency-dev/bionic,bionic 0.0~git20160709.0.0f6e3d1~ds1-3 all
python-certifi/bionic,bionic,now 2018.1.18-2 all [instalovaný,automaticky]
python3-certifi/bionic,bionic,now 2018.1.18-2 all [instalovaný]
ruby-certificate-authority/bionic,bionic 0.2.0~434c15cd-1 all


curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1 zlib/1.2.11 libidn2/2.3.0 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

All of that looks good.
I suspect that you may need to upgrade:

OR
Use another ACME client [like: acme.sh].

Thank you. I uninstalled repository version of certbot and installed up to date snap version. Now it's working like charm.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.