Unable to generate certificate for renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Certificate due to expire in 5 days.

command:

PYTHONPATH="/usr/lib/python2.7/site-packages/:/usr/lib/oracle-cloud-agent/" certbot certonly --manual --preferred-challenges=dns --email --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *******

It produced this output:
Plugins selected: Authenticator manual, Installer None
From cffi callback <function _verify_callback at 0x7fdb77b6a848>:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/OpenSSL/SSL.py”, line 309, in wrapper
_lib.X509_up_ref(x509)
AttributeError: ‘module’ object has no attribute ‘X509_up_ref’
An unexpected error occurred:
ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(“bad handshake: Error([(‘SSL routines’, ‘ssl3_get_server_certificate’, ‘certificate verify failed’)],)”,),))

I can login to a root shell on my machine (yes or no, or I don’t know):yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.35.1

1 Like
getent ahosts acme-v02.api.letsencrypt.org
curl -vI https://acme-v02.api.letsencrypt.org
1 Like

getent output :
172.65.32.248 STREAM acme-v02.api.letsencrypt.org
172.65.32.248 DGRAM
172.65.32.248 RAW
curl commands works fine .
Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0) and
HTTP/1.1 200 OK

1 Like

Oops, it appears that I missed the important part of the error:

AttributeError: ‘module’ object has no attribute ‘X509_up_ref’

What operating system (RHEL?) and version are you using, and where did you install Certbot from?

Looking around, this seems to be because the wrong version of pyOpenSSL or cryptography is being used.

2 Likes

Hi,

I am using Oracle Linux 7.6, I have installed certbot.noarch (0.35.1-1.el7) package from ol7_developer_EPEL

The most recent version packaged in Oracle 7 EPEL is 1.3.0. Probably worth upgrading, might solve your problems as a side-effect.

Otherwise I’d try force a reinstall of pyOpenSSL and python2-cryptography. I was able to get 0.35.1-1 from that repo working with:

pyOpenSSL-0.13.1-4.el7.x86_64
python2-cryptography-1.7.2-2.el7.x86_64

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.