Unable to generate certificate for renewal

Smriti · May 29, 2020, 7:42am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Certificate due to expire in 5 days.

command:

PYTHONPATH="/usr/lib/python2.7/site-packages/:/usr/lib/oracle-cloud-agent/" certbot certonly --manual --preferred-challenges=dns --email --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *******

It produced this output:
Plugins selected: Authenticator manual, Installer None
From cffi callback <function _verify_callback at 0x7fdb77b6a848>:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/OpenSSL/SSL.py”, line 309, in wrapper
_lib.X509_up_ref(x509)
AttributeError: ‘module’ object has no attribute ‘X509_up_ref’
An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,),))

I can login to a root shell on my machine (yes or no, or I don’t know):yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.35.1

_az · May 29, 2020, 7:52am

getent ahosts acme-v02.api.letsencrypt.org
curl -vI https://acme-v02.api.letsencrypt.org

Smriti · May 29, 2020, 9:00am

getent output :
172.65.32.248 STREAM acme-v02.api.letsencrypt.org
172.65.32.248 DGRAM
172.65.32.248 RAW
curl commands works fine .
Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0) and
HTTP/1.1 200 OK

_az · May 29, 2020, 10:19pm

Oops, it appears that I missed the important part of the error:

AttributeError: ‘module’ object has no attribute ‘X509_up_ref’

What operating system (RHEL?) and version are you using, and where did you install Certbot from?

Looking around, this seems to be because the wrong version of pyOpenSSL or cryptography is being used.

Smriti · June 1, 2020, 8:18am

Hi,

I am using Oracle Linux 7.6, I have installed certbot.noarch (0.35.1-1.el7) package from ol7_developer_EPEL

_az · June 1, 2020, 8:44am

The most recent version packaged in Oracle 7 EPEL is 1.3.0. Probably worth upgrading, might solve your problems as a side-effect.

Otherwise I'd try force a reinstall of pyOpenSSL and python2-cryptography. I was able to get 0.35.1-1 from that repo working with:

pyOpenSSL-0.13.1-4.el7.x86_64
python2-cryptography-1.7.2-2.el7.x86_64

system · July 1, 2020, 8:44am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to renew cert Help	1	581	January 1, 2021
SSLCertVerificationError of acme-v02.api.letsencrypt.org causes certbot renewal failure Help	37	1481	August 18, 2023
Error trying to renew certificate Help	6	520	December 23, 2022
Certbot renew error please help Help	2	632	June 12, 2022
Need help renewing a certificate Help	4	304	July 21, 2023

Unable to generate certificate for renewal

Related topics