Ubuntu 14.04 - SSLError: [Errno bad handshake]

I am following the guide to use certbot with nginx to set up a certificate, but I get the following error:

sudo certbot --nginx certonly

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel):email@email.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
An unexpected error occurred:
SSLError: [Errno bad handshake]
Please see the logfiles in /var/log/letsencrypt for more details.

The log has the following:

2017-07-04 10:29:25,841:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7fdebb581610> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7fdebb581610>
2017-07-04 10:29:29,006:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-07-04 10:29:29,008:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-07-04 10:29:29,020:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.14.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 742, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 666, in certonly
le_client = _init_le_client(config, auth, installer)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 382, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/lib/python2.7/dist-packages/certbot/main.py”, line 367, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 158, in register
acme = acme_from_config_key(config, key)
File “/usr/lib/python2.7/dist-packages/certbot/client.py”, line 44, in acme_from_config_key
return acme_client.Client(config.server, key=key, net=net)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 71, in init
self.net.get(directory).json())
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 646, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/usr/lib/python2.7/dist-packages/acme/client.py”, line 619, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File “/usr/local/lib/python2.7/dist-packages/requests/sessions.py”, line 335, in request
resp = self.send(prep, **send_kwargs)
File “/usr/local/lib/python2.7/dist-packages/requests/sessions.py”, line 438, in send
r = adapter.send(request, **kwargs)
File “/usr/local/lib/python2.7/dist-packages/requests/adapters.py”, line 331, in send
raise SSLError(e)
SSLError: [Errno bad handshake]

If I open python and do it manually, it works, so it seems that the version distributed with certbot is broken:

python

Python 2.7.6 (default, Oct 26 2016, 20:30:19)
[GCC 4.8.4] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.

import requests
requests.get(‘https://acme-v01.api.letsencrypt.org’)
<Response [200]>

OpenSSL seems to be willing to connect properly:

openssl s_client -connect acme-v01.api.letsencrypt.org:443

CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
verify return:1
depth=1 C = US, O = IdenTrust, OU = TrustID Server, CN = TrustID Server CA A52
verify return:1
depth=0 CN = *.api.letsencrypt.org, O = INTERNET SECURITY RESEARCH GROUP, L = Mountain View, ST = California, C = US
verify return:1

Certificate chain
0 s:/CN=*.api.letsencrypt.org/O=INTERNET SECURITY RESEARCH GROUP/L=Mountain View/ST=California/C=US
i:/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52
1 s:/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52
i:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
2 s:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIHDzCCBfegAwIBAgIQfwAAAQAAAU4w1QtkQskueDANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MRcwFQYDVQQLEw5UcnVz
dElEIFNlcnZlcjEeMBwGA1UEAxMVVHJ1c3RJRCBTZXJ2ZXIgQ0EgQTUyMB4XDTE1
MDYyNjE3MDU0NVoXDTE4MDYyNTE3MDU0NVowgYUxHjAcBgNVBAMTFSouYXBpLmxl
dHNlbmNyeXB0Lm9yZzEpMCcGA1UEChMgSU5URVJORVQgU0VDVVJJVFkgUkVTRUFS
Q0ggR1JPVVAxFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxEzARBgNVBAgTCkNhbGlm
b3JuaWExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAlkLBpvVuOTZrpaPkzmAx+5OcK6gffKPon8E6ktJmNsjfrh3ATdgKt121ccD+
7I3gBcZu5euG1ldynO/wx29oeGhBiiWx9Bkm1brFKDLvH56ztO29xEo5ZQnxV7w0
25NvjBca5J2tRiAIjcdjMITE1usp5rrNLNM2LIs1RutP7bexvuNv2dGyJ0uNIWI4
Ym2Tt5rnUTx7Vsz0M4nz2i6sSB9ajrSa1h4hFrZYqIU/zpl20f7So8oZDYCZN4WY
xYgbUuEneWxFigElkJbNk0UeVN26tdMGHdIWCabgoZSy80X+pFvxCgdbLQzS0LXQ
orqkGsMYO0+fjjmLj0742IHYswIDAQABo4IDozCCA58wDgYDVR0PAQH/BAQDAgWg
MIICJwYDVR0gBIICHjCCAhowggELBgpghkgBhvkvAAYDMIH8MEAGCCsGAQUFBwIB
FjRodHRwczovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xp
Y3kvdHMvMIG3BggrBgEFBQcCAjCBqhqBp1RoaXMgVHJ1c3RJRCBTZXJ2ZXIgQ2Vy
dGlmaWNhdGUgaGFzIGJlZW4gaXNzdWVkIGluIGFjY29yZGFuY2Ugd2l0aCBJZGVu
VHJ1c3QncyBUcnVzdElEIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRw
czovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMv
MIIBBwYGZ4EMAQICMIH8MEAGCCsGAQUFBwIBFjRodHRwczovL3NlY3VyZS5pZGVu
dHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvMIG3BggrBgEFBQcCAjCB
qhqBp1RoaXMgVHJ1c3RJRCBTZXJ2ZXIgQ2VydGlmaWNhdGUgaGFzIGJlZW4gaXNz
dWVkIGluIGFjY29yZGFuY2Ugd2l0aCBJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRp
ZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL3NlY3VyZS5pZGVudHJ1c3Qu
Y29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvMB0GA1UdDgQWBBQvAQatcXq62MSt
v2WLHPKwErqzgDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vdmFsaWRhdGlvbi5p
ZGVudHJ1c3QuY29tL2NybC90cnVzdGlkY2FhNTIuY3JsMIGEBggrBgEFBQcBAQR4
MHYwMAYIKwYBBQUHMAGGJGh0dHA6Ly9jb21tZXJjaWFsLm9jc3AuaWRlbnRydXN0
LmNvbTBCBggrBgEFBQcwAoY2aHR0cDovL3ZhbGlkYXRpb24uaWRlbnRydXN0LmNv
bS9jZXJ0cy90cnVzdGlkY2FhNTIucDdjMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAfBgNVHSMEGDAWgBSiViQ80NQVuei/eKMTEFhILhZU4TA1BgNVHREE
LjAsghUqLmFwaS5sZXRzZW5jcnlwdC5vcmeCE2FwaS5sZXRzZW5jcnlwdC5vcmcw
DQYJKoZIhvcNAQELBQADggEBAIgV29HRYYk2RfrkE6KOeAT6K3AJsKgNe+i9Pdo7
YLdiDGMv/kKyyTNsq4l8IEaY1kw3aqkyT44D8vp6yGbbNl1uAE4VnaPeChLOBK0G
xz3CjtoZPqLxmieft8jybIVWZKZlIIsZrSMaEvrmRTGYartBSuxqOzIjCNxvkkRt
MYDNYRhiy6NPMtA0kpDQCN6tOggXdCm19kmzKI8pUvQGCnGscXJvlQIeaZva0GWf
UOuPael/zohUUsm2lJowlIli939RdxUal0hwv8tD12qAyZAF2/+4y61ds4svGD9B
ukNnsAzS3EXNqq5qWFqRQyiTZfCcjaXEdtySyNAUiM6eFTY=
-----END CERTIFICATE-----
subject=/CN=*.api.letsencrypt.org/O=INTERNET SECURITY RESEARCH GROUP/L=Mountain View/ST=California/C=US
issuer=/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 5917 bytes and written 401 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: FA021CC4D23A00FCC90A5C7A0390A83FAB2F1C6CF17BA9D53E4387681311D084
Session-ID-ctx:
Master-Key: 4CD7B1F7E85C8458F0D77564964D15A892C449CF1B50A22BF0E44549612B9E209E66CAA128DAB210766B3A24506799D2
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 00 00 03 d5 1c a3 7f ee-f1 69 58 ef a5 40 44 53 …iX…@DS
0010 - b0 a6 e7 69 42 1f 75 d9-2a fa 71 05 47 67 bc dd …iB.u.*.q.Gg…
0020 - e9 30 ca b9 98 7e b8 5f-8f 1c 2a 7a 1e e8 dd b1 .0…~._…*z…
0030 - 83 d6 70 32 90 ca 2a 45-2a 0e e7 58 d5 2d a4 45 …p2…E…X.-.E
0040 - 5f 01 cc 7c 04 c8 72 fb-85 f4 14 0c 32 66 cc 64 _…|…r…2f.d
0050 - 06 e9 52 75 bd 25 c3 3b-e5 1f 3d df 77 63 c7 66 …Ru.%.;…=.wc.f
0060 - 44 a3 bd 37 75 9d 98 6f-23 70 0e 56 fe df 33 73 D…7u…o#p.V…3s
0070 - 11 bd f3 ff ee a8 47 80-2c 1c a4 d8 ae a9 25 a8 …G.,…%.
0080 - 48 90 d0 be d8 34 a5 5a-47 e4 4f 13 d5 00 27 bd H…4.ZG.O…’.
0090 - b0 27 db 9f 3b 93 69 5c-c7 be fa 6a 0c ab 1e 50 .’…;.i…j…P

Start Time: 1499164058
Timeout   : 300 (sec)
Verify return code: 0 (ok)

What do I do? :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.