My domain is: all domains
I ran this command: sudo certbot --apache
It produced this output:
n unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
My web server is (include version): Apache 2.4
The operating system my web server runs on is (include version): Arch Linux
My hosting provider, if applicable, is: init7
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
[morta@5erver ~]$ sudo certbot --version
certbot 1.19.0
[morta@5erver ~]$ cat /etc/hosts
#
127.0.0.1 localhost 5erver
::1 localhost 5erver
[morta@5erver ~]$ cat /etc/hostname
5erver
[morta@5erver ~]$ cat /etc/resolv.conf
Generated by NetworkManager
search home
nameserver 77.109.128.2
nameserver 213.144.129.20
nameserver 2001:1620:2777:1::10
NOTE: the libc resolver may not support more than 3 nameservers.
The nameservers listed below may not be recognized.
nameserver 2001:1620:2777:2::20
[morta@5erver ~]$ dig acme-v02.api.letsencrypt.org
; <<>> DiG 9.16.21 <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3289
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org. IN A
;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 2582 IN CNAME prod.api.letsencrypt.org.
prod.api.letsencrypt.org. 300 IN CNAME ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. 34 IN A 172.65.32.248
;; Query time: 39 msec
;; SERVER: 77.109.128.2#53(77.109.128.2)
;; WHEN: Wed Oct 06 12:13:24 UTC 2021
;; MSG SIZE rcvd: 155
[morta@5erver ~]$ curl -v https://acme-v02.api.letsencrypt.org/
- Trying 172.65.32.248:443...
- Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt
- CApath: none
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.2 (IN), TLS handshake, Certificate (11):
- TLSv1.2 (IN), TLS handshake, Server key exchange (12):
- TLSv1.2 (IN), TLS handshake, Server finished (14):
- TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
- TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.2 (OUT), TLS handshake, Finished (20):
- TLSv1.2 (IN), TLS handshake, Finished (20):
- SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
- ALPN, server accepted to use h2
- Server certificate:
- subject: CN=acme-v02.api.letsencrypt.org
- start date: Sep 30 00:32:23 2021 GMT
- expire date: Dec 29 00:32:22 2021 GMT
- subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
- issuer: C=US; O=Let's Encrypt; CN=R3
- SSL certificate verify ok.
- Using HTTP2, server supports multiplexing
- Connection state changed (HTTP/2 confirmed)
- Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
- Using Stream ID: 1 (easy handle 0x55bb62d87ab0)
GET / HTTP/2
Host: acme-v02.api.letsencrypt.org
user-agent: curl/7.79.1
accept: /
- Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200
< server: nginx
< date: Wed, 06 Oct 2021 11:18:45 GMT
< content-type: text/html
< content-length: 2174
< last-modified: Wed, 18 Aug 2021 16:36:00 GMT
< etag: "611d36f0-87e"
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
<div class="col-xs-6 text-left">
<h1>Boulder<br>
<small>The Let's Encrypt CA</small></h1>
</div>
</div>
<div class="row">
<div class="col-xs-8 col-xs-offset-2 text-center">
<h3>This is an <a href="https://github.com/letsencrypt/acme-spec/">ACME</a> Certificate Authority running <a href="https://github.com/letsencrypt/boulder">Boulder</a>.</h3>
<p>This is a <em>programmatic</em> endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See <a href="https://letsencrypt.org/"><tt>https://letsencrypt.org/</tt></a> for help.</p>
<p>If you're trying to use this service, note that the starting point, <em>the directory</em>, is available at this URL: <a href="https://acme-v02.api.letsencrypt.org/directory"><tt>https://acme-v02.api.letsencrypt.org/directory</a></tt>.</p>
</div>
</div>
<div class="row">
<div class="col-xs-4 col-xs-offset-2 text-center">
<p><a href="https://letsencrypt.status.io" title="Twitter">
<i class="fa fa-area-chart"></i>
Service Status (letsencrypt.status.io)
</a></p>
</div>
<div class="col-xs-4 text-center">
<p><a href="https://twitter.com/letsencrypt" title="Twitter">
<i class="fa fa-twitter"></i>
Check with us on Twitter
</a></p>
</div>
</div> <!-- row -->
issuer=C = US, O = Let's Encrypt, CN = R3
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 3300 bytes and written 423 bytes
Verification error: certificate has expired
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: DD80E5D63A08FEF1DDAA946BA0841BAF850B87C9B7C125D9BE9B48CFDD9171AB
Session-ID-ctx:
Master-Key: CDC999491175E7A07D818F2BA4D00EA257B00CD0F8EE281F6DB789DFA73B1FAD286F2FFFF60B75B55A80266DA1E64DB7
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1633522429
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: yes
No clue what the error is. It was running till today....