Renewal failure, "sslv3 alert bad record mac"

My domain is:
dreamchaser.org

I ran this command:
certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /usr/local/etc/letsencrypt/renewal/dreamchaser.org.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for discoveriesinwood.com
http-01 challenge for dreamchaser.org
http-01 challenge for git.dreamchaser.org
http-01 challenge for www.discoveriesinwood.com
http-01 challenge for www.dreamchaser.org
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (dreamchaser.org) from /usr/local/etc/letsencrypt/renewal/dreamchaser.org.conf produced an unexpected error: [(‘SSL routines’, ‘ssl3_read_bytes’, ‘sslv3 alert bad record mac’)]. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/dreamchaser.org/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/usr/local/etc/letsencrypt/live/dreamchaser.org/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

My web server is (include version):
apache24-2.4.38

The operating system my web server runs on is (include version):
freebsd 11.2-RELEASE-p9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0

The debug log shows the following error:
The debug log shows the following exception:

2020-03-11 14:48:04,062:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File “/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 165, in _respond
self._send_responses(aauthzrs, resp, chall_update)
File “/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 198, in _send_responses
self.acme.answer_challenge(achall.challb, resp)
File “/usr/local/lib/python2.7/site-packages/acme/client.py”, line 158, in answer_challenge
response = self._post(challb.uri, response)
File “/usr/local/lib/python2.7/site-packages/acme/client.py”, line 95, in _post
return self.net.post(*args, **kwargs)
File “/usr/local/lib/python2.7/site-packages/acme/client.py”, line 1185, in post
return self._post_once(*args, **kwargs)
File “/usr/local/lib/python2.7/site-packages/acme/client.py”, line 1201, in _post_once
response = self._send_request(‘POST’, url, data=data, **kwargs)
File “/usr/local/lib/python2.7/site-packages/acme/client.py”, line 1101, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 533, in request
resp = self.send(prep, **send_kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 646, in send
r = adapter.send(request, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/adapters.py”, line 449, in send
timeout=timeout
File “/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py”, line 601, in urlopen
chunked=chunked)
File “/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py”, line 380, in _make_request
httplib_response = conn.getresponse(buffering=True)
File “/usr/local/lib/python2.7/httplib.py”, line 1121, in getresponse
response.begin()
File “/usr/local/lib/python2.7/httplib.py”, line 438, in begin
version, status, reason = self._read_status()
File “/usr/local/lib/python2.7/httplib.py”, line 394, in _read_status
line = self.fp.readline(_MAXLINE + 1)
File “/usr/local/lib/python2.7/socket.py”, line 480, in readline
data = self._sock.recv(self._rbufsize)
File “/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py”, line 274, in recv
return self.recv(*args, **kwargs)
File “/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py”, line 258, in recv
data = self.connection.recv(*args, **kwargs)
File “/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py”, line 1783, in recv
self._raise_ssl_error(self._ssl, result)
File “/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py”, line 1639, in _raise_ssl_error
_raise_current_error()
File “/usr/local/lib/python2.7/site-packages/OpenSSL/_util.py”, line 54, in exception_from_error_queue
raise exception_type(errors)

I’ve been informed python 2.7 is EOL, but that doesn’t seem like it should
be the problem. I’m planning on upgrading the os and apps but would like
to renew this cert if possible before that as it expires in 2 days.

Apparently python 3.7 is required. I deleted the py27-certbot package and installed py37-certbot and the certs renewed normally.

Note: I did upgrade the os to 11.3 prior to doing this.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.