Urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]

tengri · March 1, 2019, 10:32am

Hey. The certificate has not been updated automatically. Attempting a manual update gave this error:

/usr/share/univention-letsencrypt/setup-letsencrypt

run-parts: executing /etc/univention/letsencrypt/setup.d//apache2
Setting apache2/ssl/certificatechain
Setting apache2/ssl/certificate
Setting apache2/ssl/key
Multifile: /etc/simplesamlphp/metadata/saml20-idp-hosted.php
Multifile: /etc/apache2/sites-available/default-ssl.conf
run-parts: executing /etc/univention/letsencrypt/setup.d//dovecot
run-parts: executing /etc/univention/letsencrypt/setup.d//postfix
Пт мар 1 13:00:53 MSK 2019
Refreshing certificate for following domains:
04.vpn.rozkrolik.ru
Parsing account key…
Parsing CSR…
Registering account…
Traceback (most recent call last):
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 85, in get_crt
“agreement”: json.loads(urlopen(CA + “/directory”).read().decode(‘utf8’))[‘meta’][‘terms-of-service’],
File “/usr/lib/python2.7/urllib2.py”, line 154, in urlopen
return opener.open(url, data, timeout)
File “/usr/lib/python2.7/urllib2.py”, line 429, in open
response = self._open(req, data)
File “/usr/lib/python2.7/urllib2.py”, line 447, in _open
‘_open’, req)
File “/usr/lib/python2.7/urllib2.py”, line 407, in _call_chain
result = func(*args)
File “/usr/lib/python2.7/urllib2.py”, line 1241, in https_open
context=self._context)
File “/usr/lib/python2.7/urllib2.py”, line 1198, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
Setting letsencrypt/status

_az · March 1, 2019, 10:34am

What happens if you run:

curl -X GET -I https://acme-v02.api.letsencrypt.org/directory

And are you passing --ca to the program (maybe from /usr/share/univention-letsencrypt/setup-letsencrypt)?

tengri1 · March 1, 2019, 10:54am

hello
root@ucs:/etc/ssl# curl -X GET -I https://acme-v02.api.letsencrypt.org/directory
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 01 Mar 2019 10:48:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 01 Mar 2019 10:48:05 GMT
Connection: keep-alive

tengri1 · March 1, 2019, 11:48am

sorry
solution:

update-ca-certificates
service apache2 restart

tengri · March 1, 2019, 1:23pm

root@ucs:/etc/ssl# curl -X GET -I https://acme-v02.api.letsencrypt.org/directory
HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Fri, 01 Mar 2019 10:48:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 01 Mar 2019 10:48:05 GMT
Connection: keep-alive

system · March 31, 2019, 1:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.