SSL Certificate Renewal on SFTP server (certbot failed)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sftp.limeintel.com (hosted on google cloud vm)

I ran this command: certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini --agree-tos -m support@limeintel.com -d sftp.limeintel.com

It produced this output:

An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

My web server is (include version):

The operating system my web server runs on is (include version): Rocky Linux 9.3

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

I also ran this:

openssl s_client -connect acme-v02.api.letsencrypt.org:443

And received this:

CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = R10
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1

Certificate chain
0 s:CN = acme-v02.api.letsencrypt.org
i:C = US, O = Let's Encrypt, CN = R10
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 1 07:46:47 2024 GMT; NotAfter: Nov 30 07:46:46 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R10
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT

Server certificate
-----BEGIN CERTIFICATE-----
MIIFxDCCBKygAwIBAgISAwVufluXO6/r1Tyj7UnY3UgLMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjQwOTAxMDc0NjQ3WhcNMjQxMTMwMDc0NjQ2WjAnMSUwIwYDVQQD
ExxhY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAvYSpSnt0akHPq1VQWK97rox6ek7W8T7w7uJWsy84Qy6T
0l5d57mpx/7gjZECMxBPdiwSivKuKZzVBu5r6AaH2LZXqBQLFDzQ/wvWbZiqEBpk
Q0q3fl+0U8Jr4/2EfDWrIMGyzOyMwB9iU+wyoYhwIbmNSQHqS7J4R442BzEelvF9
XD1IBJ4UX3GWG9tQT0l37Qbpx/7a6ueoRDQbFp0SHcv+AVejAx3KvxDCQInJHDdi
kKlQgGMB0TrRnQ5ETTCFedS8/q2WiHhyo6lr/mclxOBNMRzD8Y9GGjc97mBU5CNM
Q5kGTfrc8E7EnNOrGAF6b2aYtOFu41NXn8lZ+aDjHwIDAQABo4IC3DCCAtgwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
HRMBAf8EAjAAMB0GA1UdDgQWBBS7Nm5G6sRZEGVIGZVD5hTOEGV2NTAfBgNVHSME
GDAWgBS7vMNHpeS8qcbDpHIMEI2iNeHI6DBXBggrBgEFBQcBAQRLMEkwIgYIKwYB
BQUHMAGGFmh0dHA6Ly9yMTAuby5sZW5jci5vcmcwIwYIKwYBBQUHMAKGF2h0dHA6
Ly9yMTAuaS5sZW5jci5vcmcvMIHjBgNVHREEgdswgdiCHmFjbWUtdjAyLTEuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItMi5hcGkubGV0c2VuY3J5cHQub3Jn
gh5hY21lLXYwMi0zLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAyLTQuYXBp
LmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12MDItNS5hcGkubGV0c2VuY3J5cHQub3Jn
ghxhY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnghhpbmNpZGVudC5sZXRzZW5j
cnlwdC5vcmcwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5AgQCBIH0
BIHxAO8AdQA/F0tP1yJHWJQdZRyEvg0S7ZA3fx+FauvBvyiF7PhkbgAAAZGswo42
AAAEAwBGMEQCIGWuadrUc3Jxk3WoUhGNsm+4je5TcTjG8XQ16k/+wdeuAiAsQdZy
S8MyOo7IH4aQ6A7SAsyFQUO0JrzDLa8yQRfWzwB2AHb/iD8KtvuVUcJhzPWHujS0
pM27KdxoQgqf5mdMWjp0AAABkazCjnoAAAQDAEcwRQIhALMe5Qo8mPKkYICrG4H1
RP7LVaryKDACdUidE0wABt8VAiBIw1uUSOKmiNdyApfsPakESwoNSC/RZOUfpo2Z
GsNmmTANBgkqhkiG9w0BAQsFAAOCAQEAMIvde89NduUjZ7iGfblnO4I+Uw/AFOWL
s/o8ExkfkBSQoXhnqXtGpTPxO9Li2b40KAFf5fc76WjgtMVZMvpUEk5hm3fTrnBz
xfDqa1nxBB25T6cLVNXeT/zWWZzy2X3jboOot6Kl3RkC7dqLAh/edyeEeCYv1W2+
57LiarffoleU333YcR0IzEiqFB8REfLa2f8dFOt8t0BD+kZFMLHiu1kZaam0qh58
CGfsoIGWUlQPvfua4qzYoLWERUhInWNreWctrtt22+CT0UZUdU+K7wtLKaWhAvTV
wRhYZekYiaqhhJfSrvFBvYQBuiJ+Ly8DWj69xqD/d3u48d3hJXaigg==
-----END CERTIFICATE-----
subject=CN = acme-v02.api.letsencrypt.org
issuer=C = US, O = Let's Encrypt, CN = R10

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 3334 bytes and written 416 bytes
Verification error: unable to get local issuer certificate

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)


Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 56673F2D44F9293072E557ED4380862AC4D6030185E0CD30661EA01A8796B98C
Session-ID-ctx:
Resumption PSK: 09360DB07825807A521CB47F21E7C036D6786755F5BF5D820518BB3F384F99EB6328FAB36A1553E35E39DE1845E32B87
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 09 8e fb b3 91 e4 ab c5-59 6b 5b 1e 61 92 cf 2b ........Yk[.a..+
0010 - a4 ba 70 0d 82 65 b0 45-69 4c 18 60 f8 03 fc 84 ..p..e.EiL.`....

Start Time: 1725321749
Timeout   : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0

read R BLOCK

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 12DF1FC07E2767767A605BF354029B3AB4C8483DF1E83405B896A1762D548BB1
Session-ID-ctx:
Resumption PSK: 790252A5A0B5E8CBE2EA03B4D49AAE48BCC393B0C3C096256052D646C567C7C90457E070BFA2F1994911989CD7A8F285
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 92 64 02 88 df 1e 7e b9-76 e9 72 35 ac 8a ae 91 .d....~.v.r5....
0010 - 46 7e 59 96 db b2 c6 20-4f a3 f6 51 37 a9 64 fa F~Y.... O..Q7.d.

Start Time: 1725321749
Timeout   : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0

read R BLOCK

1 Like

Here is the detail from the log at /var/log/letsencrypt/letsencrypt.log:

2024-09-03 01:18:17,501:DEBUG:certbot._internal.main:certbot version: 2.9.0
2024-09-03 01:18:17,502:DEBUG:certbot._internal.main:Location of certbot entry point: /bin/certbot
2024-09-03 01:18:17,502:DEBUG:certbot._internal.main:Arguments: ['--dns-cloudflare', '--dns-cloudflare-credentials', '/etc/letsencrypt/cloudflare.ini']
2024-09-03 01:18:17,502:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-09-03 01:18:17,513:DEBUG:certbot._internal.log:Root logging level set at 30
2024-09-03 01:18:17,515:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/ftp.limeintel.com.conf
2024-09-03 01:18:17,517:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-cloudflare and installer None
2024-09-03 01:18:17,517:DEBUG:certbot.configuration:Var dns_cloudflare_credentials=/etc/letsencrypt/cloudflare.ini (set by user).
2024-09-03 01:18:17,544:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): e5.o.lencr.org:80
2024-09-03 01:18:17,563:DEBUG:urllib3.connectionpool:http://e5.o.lencr.org:80 "POST / HTTP/1.1" 200 345
2024-09-03 01:18:17,564:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/ftp.limeintel.com/cert4.pem is signed by the certificate's issuer.
2024-09-03 01:18:17,568:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/ftp.limeintel.com/cert4.pem is: OCSPCertStatus.GOOD
2024-09-03 01:18:17,573:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2024-09-19 10:40:09 UTC.
2024-09-03 01:18:17,573:INFO:certbot._internal.renewal:Certificate is due for renewal, auto-renewing...
2024-09-03 01:18:17,573:DEBUG:certbot._internal.plugins.selection:Requested authenticator dns-cloudflare and installer None
2024-09-03 01:18:17,573:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * dns-cloudflare
Description: Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='dns-cloudflare', value='certbot_dns_cloudflare._internal.dns_cloudflare:Authenticator', group='certbot.plugins')
Initialized: <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7f737f120b20>
Prep: True
2024-09-03 01:18:17,574:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_dns_cloudflare._internal.dns_cloudflare.Authenticator object at 0x7f737f120b20> and installer None
2024-09-03 01:18:17,574:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator dns-cloudflare, Installer None
2024-09-03 01:18:17,626:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1460522496', new_authzr_uri=None, terms_of_service=None), f375920bcf1b59b39f591ab5de5f2e37, Meta(creation_dt=datetime.datetime(2023, 12, 12, 7, 45, 24, tzinfo=), creation_host='sftp-limeintel-com.australia-southeast1-a.c.production-limeintel-com.internal', register_to_eff=None))>
2024-09-03 01:18:17,627:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2024-09-03 01:18:17,628:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2024-09-03 01:18:17,994:ERROR:certbot._internal.renewal:Failed to renew certificate ftp.limeintel.com with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))
2024-09-03 01:18:17,998:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 700, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 383, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 1015, in validate_conn
conn.connect()
File "/usr/lib/python3.9/site-packages/urllib3/connection.py", line 411, in connect
self.sock = ssl_wrap_socket(
File "/usr/lib/python3.9/site-packages/urllib3/util/ssl
.py", line 449, in ssl_wrap_socket
ssl_sock = ssl_wrap_socket_impl(
File "/usr/lib/python3.9/site-packages/urllib3/util/ssl
.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib64/python3.9/ssl.py", line 501, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib64/python3.9/ssl.py", line 1074, in _create
self.do_handshake()
File "/usr/lib64/python3.9/ssl.py", line 1343, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 756, in urlopen
retries = retries.increment(
File "/usr/lib/python3.9/site-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1548, in renew_cert
le_client = _init_le_client(config, auth, installer)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 838, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 297, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 72, in acme_from_config_key
directory = acme_client.ClientV2.get_directory(config.server, net)
File "/usr/lib/python3.9/site-packages/acme/client.py", line 330, in get_directory
return messages.Directory.from_json(net.get(url).json())
File "/usr/lib/python3.9/site-packages/acme/client.py", line 705, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3.9/site-packages/acme/client.py", line 647, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 544, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 657, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')))

2 Likes

Your CA certificate store is missing the ISRG Root X1 certificate. You server would fail to validate an HTTPS connection to any site that uses Let's Encrypt certs. Is this a new system?

I don't know Rocky Linux very well but this probably shows the pertinent Store location:

curl -v https://acme-v02.api.letsencrypt.org/directory

You should see some lines like these and post the file name and/or path

* TLSv1.2 (OUT), TLS handshake, Client hello (1):
*  CAfile: (maybe some file)
*  CApath: (maybe some path)

Just to prove it is not unique to the ACME API, you would get the same connection failure to this forum

curl https://community.letsencrypt.org
4 Likes

Hi Mike,

Thanks for that, you are 100% correct.

I ran the command above: curl -v https://acme-v02.api.letsencrypt.org/directory

And received this information:

  • Trying 172.65.32.248:443...
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS header, Finished (20):
  • TLSv1.2 (IN), TLS header, Unknown (23):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.2 (IN), TLS header, Unknown (23):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS header, Unknown (21):
  • TLSv1.3 (OUT), TLS alert, unknown CA (560):
  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

This command also failed: curl https://community.letsencrypt.org

I opened this file: /etc/pki/tls/certs/ca-bundle.crt

There was no ISRG Root X1 certificate in this file.

Can I simply paste the missing certificate into that file? I assume at the end of the file?

Not a good idea and probably won't work persistently. There is a formal way to update the CA store for the Rocky system. I'm just not certain what it is.

Just for curiousity, what does this show

cat /etc/pki/tls/certs/ca-bundle.crt | grep -E 'X1|Amazon|X3|DST' | grep '#'
2 Likes

Thanks Mike,

I get nothing when I execute that command.

The /etc/pki/tls/certs/ca-bundle.crt literally contains only 2 certificates from BEGIN CERTIFICATE to END CERTIFICATE (2x)

The first one is this:

Certificate Information:

Common Name: Sectigo RSA Domain Validation Secure Server CA
Subject Alternative Names:
Organization: Sectigo Limited
Organization Unit:
Locality: Salford
State: Greater Manchester
Country: GB
Valid From: November 1, 2018
Valid To: December 31, 2030
Issuer: USERTrust RSA Certification Authority, The USERTRUST Network Write review of Sectigo
Key Size: 2048 bit
Serial Number: 7d5b5126b476ba11db74160bbc530da7

And the second one is this:

Certificate Information:

Common Name: USERTrust RSA Certification Authority
Subject Alternative Names:
Organization: The USERTRUST Network
Organization Unit:
Locality: Jersey City
State: New Jersey
Country: US
Valid From: March 11, 2019
Valid To: December 31, 2028
Issuer: AAA Certificate Services, Comodo CA Limited Write review of Sectigo
Key Size: 4096 bit
Serial Number: 3972443af922b751d7d36c10dd313595
1 Like

These are the details when I copy-paste the certificate into here:

Then your CA Certificate Store is badly broken. You might want to revisit your installation.

You won't even be able to connect to say https://google.com or https://amazon.com (not that you would but just to give example of wide-ranging things that won't work)

Someone here may be able to walk you through that and on some other day even maybe me. But, not tonight for me and not soon anyway.

A Rocky forum is good place to ask about this too. Something has gone badly wrong on your system.

4 Likes

Thanks Mike,

Yes this box is just used to host our FTP and SFTP servers.
The guy who originally set it up is no longer with the company and I am very novice at the network / security side of things.

Appreciate your help. I'll keep digging and maybe check in here again periodically.

Thanks again,
Steve

2 Likes

Also here is a screenshot for reference of the cat command earlier.

It also shows that the ca-bundle.crt file is a link to the tls-ca-bundle.pem file:

1 Like

Yes, I structured the grep that way to select the headings from that bundle. Did your bundle have lines like
# description of cert
followed by the contents?

If not then the grep wasn't useful. Would have to do a different way. Still, you should have far more than just two trusted certs there.

Sounds like your setup person made a custom CA store. I just don't have the time to walk through that.

3 Likes

If I run this: cat objsign-ca-bundle.pem | grep -E 'X1|Amazon|X3|DST' | grep '#'

I get this:

1 Like

Its very possible the CA store is custom. It sounds like something he would have done! :smiley:

The objsign-ca-bundle.pem looks like this:

I think this is what you were expecting...

1 Like

Yes, like that. Some don't have it like that I was just guessing based on Rocky base.

I still don't know how to properly integrate what you just showed into your system. Nor how to update it so you have an ongoing system. You could look for info about update-ca-trust (I think, that or update-ca-certificates I am not sure)

3 Likes

Thanks again Mike,

I was reading up on update-ca-trust. I'll keep looking into that one as it relates to Rocky linux.

Cheers,
Steve

3 Likes

So...

I just ran update-ca-trust command then the openssl -connect and it worked!

I think...

2 Likes

2 Likes

Yes, looks good go back and try to request a certificate

4 Likes

Hi Mike

Really appreciate all the helpful tips and for sticking with it.

Just to close this out, I was able to run the certbot renew command and it successfully updated the ssl certs for both our SFTP and FTP instances.

The weekly cron job should be able to handle it from here.

Many thanks
Steve

3 Likes