ssl.SSLError: [X509] no certificate or crl found (_ssl.c:3732)

I have a server with currently three websites using Let’s Encrypt. These certs get renewed without issues. Now I would like to generate a cert for the fourth new website. This is what I am getting:

certbot --apache certonly -w /path/to/docroot/ -d subdomain.example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 313, in ssl_wrap_socket
    context.load_verify_locations(ca_certs, ca_cert_dir)
ssl.SSLError: [X509] no certificate or crl found (_ssl.c:3732)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 326, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 315, in ssl_wrap_socket
    raise SSLError(e)
urllib3.exceptions.SSLError: [X509] no certificate or crl found (_ssl.c:3732)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(185090184, '[X509] no certificate or crl found (_ssl.c:3732)'),))

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(185090184, '[X509] no certificate or crl found (_ssl.c:3732)'),))
Please see the logfiles in /var/log/letsencrypt for more details.

This is on an Ubuntu 18.04. The other three certs were created with the same command though last year. I am not sure what is going on. Searching for this error results in conflicting or out of scope suggestions. Any help appreciated.

1 Like

Hi @kghbln

another user had a "same-looking problem" and found a curious solution (this day):

Check

2 Likes

Thanks a lot for the pointer!! Interesting. Will try after a good nights sleep tomorrow and report back.

1 Like

Again, thanks a lot for the pointer! Indeed following these steps resolved the issue. I am using Apache so the install command for certbot was slightly different however …

certbot --apache certonly -w /path/to/docroot/ -d subdomain.example.com

fails :frowning:

curl -I https://www.gnu.org/

fails :frowning:

sudo apt remove ca-certificates
sudo apt install ca-certificates

curl -I https://www.gnu.org/

works :slight_smile:

sudo apt install certbot python3-certbot-apache

certbot --apache certonly -w /path/to/docroot/ -d subdomain.example.com

works :slight_smile:

All is cool again. Probably the last server update a fortnight ago messed up things. Dunno.

3 Likes

Ah, thanks, good to know. Looks like there has something changed with these ca-certificates.

There are a lot of problems with some intermediate certificates, Ryan Sleevi (Google, 2020-07-01):

https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg13493.html

These are created with the

Enhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2), OCSP Signing (1.3.6.1.5.5.7.3.9)

That's wrong, typical intermediate certificates aren't allowed "OCSP Signing".

A lot of certificates must be renewed (microsoft.com etc.) - https://check-your-website.server-daten.de/?q=microsoft.com#certificates

The "CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE" has signed these intermediate certificates with a long duration.

May be new root or new intermediate certificates are deployed.

2 Likes

Thank you for providing some context! Thank make things or why they happen, easier to comprehend.

Admittedly I read the German language article Zwischenzertifikate von Tausenden Webseiten fehlerhaft two days ago, but was not smart enough to make the connection. Anyhow it is good to see that things are being worked on swiftly.

2 Likes

Yep, that's my source.

PS: Hanno Böck is a forum member - @hannob

2 Likes

I would have been surprised if he was not. I am subscribed to his websites feed for ages (dating back to our “good old CAcert days”) :). That’s how I have a faint idea of what is going on out there.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.