SSL error with certbot-auto on Raspbian


#1

Hi,

I used certbot-auto since a lot of month to obtain a wildcard certificat. But now it was the time for a renewal of the certificates. For that I used the command that was working the past:

./certbot-auto -d DOAMIN.de -d *.DOMAIN.de --rsa-key-size 4096 --server https://acme-v02.api.letexitsencrypt.org/directory --manual --preferred-challenges dns certonly --register-unsafely-without-email

But this time I got an error message:

SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

I tried a lot of things to find the reason with the following commands:

echo | openssl s_client -connect acme-staging.api.letsencrypt.org:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = acme-v02.api.letsencrypt.org
verify return:1
---
Certificate chain
 0 s:/CN=acme-v02.api.letsencrypt.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHGzCCBgOgAwIBAgISA4WhsXOFS2WqJ/vxoYofx63fMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMjEwMTUxNDRaFw0x
OTAzMjEwMTUxNDRaMCcxJTAjBgNVBAMTHGFjbWUtdjAyLmFwaS5sZXRzZW5jcnlw
dC5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqqxdpprrvf/Zc
V1StoRY6yA+FFybuMDdQ3JdFnxks77p1AsRjL4HkEg4+023X8ZpjwymcyJpTGOSE
kpn8fk1n1tZtSNavbywgNJt6gBCs5unQZ6637eBa3+zxkR9cFscnyZd5j9qreYpl
GznqnRPhVOR39fT6Ognwc+kuGIG/7nIRZIP8+m/IvflJrVC85USEhaYzGHzyvNG5
c1uJoya4kD9WajDTlfHI0/JQt2/LwdHySXjGQodhMx6PIrt2WUzuGmeEIVhKNOec
8fvnutIyOBbWIrVWDNhaKCEjUwh1M4mK1u6JzdqmBu3KsWmIcNiHS5G36bYFKJrC
mMOTvCH9AgMBAAGjggQcMIIEGDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFByuMPVw
awcVSQGLMdHNJ5C7xAN2MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyh
MG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZy8wggHRBgNVHREEggHIMIIBxIIkYWNtZS1zdGFnaW5n
LXYwMi5hcGkubGV0c2VuY3J5cHQub3JngiBhY21lLXN0YWdpbmcuYXBpLmxldHNl
bmNyeXB0Lm9yZ4IeYWNtZS12MDEtMS5hcGkubGV0c2VuY3J5cHQub3Jngh5hY21l
LXYwMS0yLmFwaS5sZXRzZW5jcnlwdC5vcmeCHmFjbWUtdjAxLTMuYXBpLmxldHNl
bmNyeXB0Lm9yZ4IeYWNtZS12MDEtNC5hcGkubGV0c2VuY3J5cHQub3Jngh5hY21l
LXYwMS01LmFwaS5sZXRzZW5jcnlwdC5vcmeCHGFjbWUtdjAxLmFwaS5sZXRzZW5j
cnlwdC5vcmeCHmFjbWUtdjAyLTEuYXBpLmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12
MDItMi5hcGkubGV0c2VuY3J5cHQub3Jngh5hY21lLXYwMi0zLmFwaS5sZXRzZW5j
cnlwdC5vcmeCHmFjbWUtdjAyLTQuYXBpLmxldHNlbmNyeXB0Lm9yZ4IeYWNtZS12
MDItNS5hcGkubGV0c2VuY3J5cHQub3JnghxhY21lLXYwMi5hcGkubGV0c2VuY3J5
cHQub3JnMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBAwYKKwYBBAHW
eQIEAgSB9ASB8QDvAHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYA
AAFnzq0F4wAABAMARzBFAiEA6/jGi5SpEBQrmT0kymEm/49LYvgfPu6qGta3Dr5T
ma0CIGSzhat5ypKjh19oADybH/ZewNqXqSPks77/m5nzgEniAHUAY/Lbzeg7zCzP
C3KEJ1drM6SNYXePvXWmOLHHaFRL2I0AAAFnzq0F6QAABAMARjBEAiBSNWkGxdlj
WZt77GuefEFq9tV80r3Wn2CIvdRiBDOeYgIgEV6lonyuEL6u6/PJmZu/FxTafnZe
wB57sNYI5i2rg2gwDQYJKoZIhvcNAQELBQADggEBACpjT1ECWIvodWGsk9y1inno
axFRfw3JsgneXHIC+PlU5XZ61q1qzzh/2JMVbcHjEhOMQF3zyV+G6i4BhWw7Sw72
zuGRWVa0tcmWvjpRPhsKFsbZe/tGRrfqK3bzVVJEiRBPPij16baUkn1R6FQ7j0K/
56vnqfqrbYStJJ19wJIkRltSZ3GUqMW2yFpgSuXIDwatqBFDcNzrgm+R5PxOsQR0
SFA0JwqlSNbaaRhhbkZJ8TDAfBnsj2rweo/qEYQvIfCFtYPGx7MbGr92Y6RIwTe8
Es1DnDpEsV+pPVm3RwyJ1vqmLJL7XTeK86RQwtEQOj9csa3UQIN0GRO6RUxXwxU=
-----END CERTIFICATE-----
subject=/CN=acme-v02.api.letsencrypt.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3654 bytes and written 302 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 7ACE61228F631670459ABA0487997145ADE3D00F643DDBC4514CAF555C3AF1C4
    Session-ID-ctx: 
    Master-Key: 5A220BF38BD54FE337CB7069C4FF69CB89DA10A753ECA43380CF065B17BC3645981A05C03795ED628EB2B501B9CCCEF5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 00 00 3a 8e 1f 12 15 08-6d d5 62 0a 65 73 4d b5   ..:.....m.b.esM.
    0010 - e9 1e 0b 47 f3 77 4d 19-4b 4c 29 62 84 11 1b 2d   ...G.wM.KL)b...-
    0020 - 25 34 63 30 06 23 d0 2d-b9 c4 1d 1c df 74 12 7b   %4c0.#.-.....t.{
    0030 - 7b 1a 03 46 a4 3c 42 17-c5 f6 d1 3b eb c8 1c a4   {..F.<B....;....
    0040 - 04 c4 74 78 b4 89 09 2f-7f 40 78 36 1b de 4c f9   ..tx.../.@x6..L.
    0050 - cc 03 d5 13 2d a1 f4 44-5b 3b 26 dc f4 76 ae ed   ....-..D[;&..v..
    0060 - 3a 64 5e 60 fc 06 a6 97-b7 0a ad 54 52 56 c9 a8   :d^`.......TRV..
    0070 - 46 6b 1a 46 c1 a4 17 a0-98 fe 75 97 65 7a c5 8d   Fk.F......u.ez..
    0080 - 31 2e de f5 a5 12 39 b3-77 22 a2 e5 c9 fd 81 08   1.....9.w"......
    0090 - 66 75 8a a6 08 93 df 54-bf c9 67 14 59 34 22 33   fu.....T..g.Y4"3

    Start Time: 1546678803
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
DONE

and

curl https://acme-v01.api.letsencrypt.org/directory
{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert",
  "tn4a4ME7KOk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"

Here is the content of letsencrypt.log:

2019-01-05 09:57:39,905:DEBUG:certbot.main:certbot version: 0.27.1
2019-01-05 09:57:39,908:DEBUG:certbot.main:Arguments: ['-d', 'DOMAIN.de', '-d', '*.DOMAIN.de', '--rsa-key-size', '4096', '--server', 'https://acme-v02.api.letexitsencrypt.org/directory', '--manual', '--prefe
2019-01-05 09:57:39,908:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPo
2019-01-05 09:57:40,031:DEBUG:certbot.log:Root logging level set at 20
2019-01-05 09:57:40,035:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-01-05 09:57:40,040:DEBUG:certbot.plugins.selection:Requested authenticator manual and installer None
2019-01-05 09:57:40,069:DEBUG:certbot.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: IAuthenticator, IPlugin
Entry point: manual = certbot.plugins.manual:Authenticator
Initialized: <certbot.plugins.manual.Authenticator object at 0x75ab96f0>
Prep: True
2019-01-05 09:57:40,074:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.manual.Authenticator object at 0x75ab96f0> and installer None
2019-01-05 09:57:40,074:INFO:certbot.plugins.selection:Plugins selected: Authenticator manual, Installer None
2019-01-05 09:57:40,078:INFO:certbot.client:Registering without email!
2019-01-05 09:58:31,275:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letexitsencrypt.org/directory.
2019-01-05 09:58:31,381:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letexitsencrypt.org
2019-01-05 09:58:31,601:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1364, in main
    return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1238, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 641, in _init_le_client
    acc, acme = _determine_account(config)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 520, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 180, in register
    acme = acme_from_config_key(config, key)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py", line 50, in acme_from_config_key
    return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 761, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 1095, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/acme/client.py", line 1044, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
2019-01-05 09:58:31,617:ERROR:certbot.log:An unexpected error occurred:

Perhaps somebody here can help me to find the reason for the error.

I running certbot-auto on a Raspberry Pi with Raspbian


#2

Check your command … I’m surprised that resolves though.


#3

For what it’s worth, you don’t need to specify --server at all with recent versions of Certbot.


#4

I am so blind :stuck_out_tongue_winking_eye:
You made my day, thanks a lot. The command was wrong.