Unknown OpenSSL error on renewal


#1

Hi… I installed lets encrypt successfully, it worked 76 days… now when I issued command to renew it I am getting following error:

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Attempting to renew cert (MYDOMAIN.com) from /etc/letsencrypt/renewal/MYDOMAIN.com.conf produced an unexpected error: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=2147893649, lib=128, func=100, reason=401, reason_text=b’error:80064191:lib(128):osrandom_init:getrandom() initialization failed with EAGAIN. Most likely Kernel CPRNG is not seeded yet.’), _OpenSSLErrorWithText(code=2147897744, lib=128, func=101, reason=400, reason_text=b’error:80065190:lib(128):osrandom_rand_bytes:getrandom() initialization failed.’), _OpenSSLErrorWithText(code=67665923, lib=4, func=136, reason=3, reason_text=b’error:04088003:rsa routines:RSA_setup_blinding:BN lib’)]). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/MYDOMAIN.com/fullchain.pem (failure)

I am using tomcat 8.5.34 on Ubuntu 16.04 LTS… Here is how I installed fresh copy of lets encrypt 76 days ago:

  • installed certbot (sudo apt-get install certbot)
  • generated certs (sudo certbot certonly --standalone -d MYDOMAIN.com -d www.MYDOMAIN.com)
  • setup file permissions
  • updated certificate configuration in server.xml:

For renewal today I issued following command:

  • STOPPED TOMCAT SERVICE
  • sudo certbot renew

How do I check if some service is using cryptography and how to disable it to renew my certs, please help


#2

I’ve never seen that error before, but taking this at face value:

Is this a newly instantiated server or VM? Maybe you just need to try again later?

I think the message about “cryptography” is referring to the Python library of that name, and is asking if Certbot is also using another library that uses OpenSSL, rather than asking if you are running other software that uses cryptography.


#3

yes it is VM… I was afraid to issue renew command again as something might effect my running website or current certs… after reading your reply I tried again and it worked… thanks


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.