[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.selfstudys.com

I ran this command: sudo certbot renew --nginx

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/selfstudys.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Attempting to renew cert (selfstudys.com) from /etc/letsencrypt/renewal/selfstudys.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/selfstudys.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/selfstudys.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.28.0

I was using this command for many months, but now it start giving error. Also in some area its shows SSL issues.

You probably are missing the ISRG Root X1 certificate in the trusted store on your system. Here is a post explaining it and the post following that shows someone who corrected a similar problem on Ubuntu 16.

Post back if this does not resolve it.

1 Like

@MikeMcQ thank you for your reply. Now I understand the problem, but do not get, how to solve it.

1 Like

Without upgrading from certbot v0.28.0 to v1.12(or higher), there is only the manual editing of the chain.pem or fullchain.pem file (whichever one is being used).
[note: the edit will be reverted upon cert renewal/reissuance]

Otherwise, you could try using another ACME client that also supports that parameter - like acme.sh


I run the following commands

sudo apt update
sudo apt install --only-upgrade certbot

but it only upgrade it to only certbot 0.31.0
Also my site certification path shows
ISRG Root X1 -> R3 -> selfstudys.com

@rg305 Is it using ISRG Root X1 ?

In order to use the --preferred-chain parameter, you will need to get to certbot v1.12(or higher)
For that, you will have to install the latest certbot from snap
See the full installation instructions at: http://certbot.eff.org/
OR switch to another ACME client...

Not the self-signed one (the one you need).
It is using the default chain:

openssl s_client -connect selfstudys.com:443 -servername selfstudys.com | head
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = selfstudys.com
verify return:1
Certificate chain
 0 s:CN = selfstudys.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

@rg305 thank you for reply. I am unable to install the latest certbot from snap, same problem here also. I try to run certbot --force-renewal also. This also not success shows certificate has expired or is not yet valid certbot
I try to run also acme.sh -f -r -d www.selfstudys.com -d selfstudys.com
but it gives acme.sh: command not found

1 Like

acme.sh is a program, like certbot, and it has to be installed first.

[scroll down to "How to install"]

@rg305 I install acme.sh. Then run acme.sh -f -r -d www.selfstudys.com -d selfstudys.com but now it give www.selfstudys.com' is not an issued domain, skip.

acme.sh --list gives Main_Domain KeyLength SAN_Domains CA Created Renew

As I have install the certificates using sudo certbot --nginx. If I am able to verify the domain once, I will install the certbot using snap and can later use nginx plugin for auto renew.

Why are you using "-f -r" ?

acme.sh --issue -d www.selfstudys.com -d selfstudys.com

@rg305 -f for forcefully and -r for renew.

The cert you now have is from certbot - not from acme.sh
There is nothing in acme.sh to renew.

The question was: Why are you using "-f -r" ?
"What do those two parameters do?"

I've been using acme.sh for years.
Thanks, but you don't have to tell me anything about what things do.
You just need to try and understand me better.

@rg305 Sorry, I do not understand your question. I know very little about these. Now I understand these are different client to get cert. I am not sure if I need to change the client to get cert. Current problem is that I am not able to verify my domain using Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org, So I need to find other way for it.

@rg305 I have many domains, so it may be difficult to switch to acme.sh. Can you tell me How to solve it using certbot. Any way except Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org to verify my domain during renew cert.

We are looking for that "other way" together.

Please try just one domain with acme.sh; So that we can know if that is a valid option for you.

There is only one other simple way that can be automated.
DNS authentication.
But that depends on your DNS Service Provider - which must support DNS zone updates via API.

Sorry but I must get some sleep now :zzz:

@rg305 thank you, let me check it.

I have not set the server time, that's why I was not able to install new certbot and renew the cert.
I solved the problem of not renew cert by following bellow steps:

  1. run sudo dpkg-reconfigure tzdata
  2. Remove current certbot.
  3. Install certbou sudo snap install --classic certbot
  4. now run sudo certbot renew --nginx

follow : Certbot - Ubuntuxenial Nginx

thank you @rg305 and @MikeMcQ for your help.

Now I will try to solve the SSL issue on old devices.

1 Like

I solved the problem by running certbot renew --preferred-chain "ISRG Root X1" --force-renewal
note that I need to re-install certbot to latest version.