SSL connection failed for acme-v02.api.letsencrypt.org

Help
1

SSL connection failed for acme-v02.api.letsencrypt.org: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed on generate SSL.

Its my curl response:

> curl -v https://acme-v02.api.letsencrypt.org/directory
> % Total % Received % Xferd Average Speed Time Time Time Current
> Dload Upload Total Spent Left Speed
> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 172.65.32.248:443...

* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: D:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3025 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=acme-v01.api.letsencrypt.org
* start date: Oct 18 20:04:26 2021 GMT
* expire date: Jan 16 20:04:25 2022 GMT
* subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x950360)
} [5 bytes data]

> GET /directory HTTP/2

> Host: acme-v02.api.letsencrypt.org

> user-agent: curl/7.71.1

> accept: */*

{ [5 bytes data]

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [57 bytes data]
* old SSL session ID is stale, removing
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
} [5 bytes data]
< HTTP/2 200

< server: nginx

< date: Thu, 21 Oct 2021 06:22:58 GMT

< content-type: application/json

< content-length: 658

< cache-control: public, max-age=0, no-cache

< x-frame-options: DENY

< strict-transport-security: max-age=604800

<

{ [658 bytes data]
100 658 100 658 0 0 3500 0 --:--:-- --:--:-- --:--:-- 3655{
"W0X5metR8HE": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "[https://letsencrypt.org](https://letsencrypt.org/)"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}

* Connection #0 to host acme-v02.api.letsencrypt.org left intact

any way to fix this error?

2

The ACME client is failing, however the test with curl seems to be OK. What is your ACME client and what is its version?

3

Hello, @bruncsak
can you please guide how can I check the ACME client and version.

4

You executed some command, when you got the original error message. What command did you execute?

5

I did this command execute : dotnet AzureLetsEncrypt.dll
I use AzureLetsEncrypt version 1.1.

6

Is that the latest (or a recent) version?

If it is this one:

[you can see that it's now up tp version 1.4.0]

Also: That seems to rely on LE64.exe which needs to be at v0.38 [or newer]

7

They need to maintain that program!
The "embedded" LE64.exe is very outdated:
[ ZeroSSL Crypt::LE client v0.34 started. ]

Get the latest LE64 from that source (directly):

I speak as a user of LE64:
image

8

Thanks @rg305
Certificate was generated after I replaced the le64 file.