You are not logged in.

#1 2021-10-07 06:21:20

Morta
Member
Registered: 2019-07-07
Posts: 101

[solved]Certbot ssl error

I asked in letsencrypt community but no sucsess, so i try here!

https://community.letsencrypt.org/t/ssl … /162292/10

I got this error

 sudo certbot --apache

It produced this output:

n unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))

Anyone a clue?

Last edited by Morta (2021-10-09 14:08:47)

Offline

#2 2021-10-07 06:28:13

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,236
Website

Re: [solved]Certbot ssl error

Either the TLS certificate of said site is invalid, or, more likely, your local machine has an incorrect date an/or time set.

Offline

#3 2021-10-07 07:00:43

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

schard wrote:

Either the TLS certificate of said site is invalid, or, more likely, your local machine has an incorrect date an/or time set.

Ok but that the cert of letsencrypt is invalid is unpossible?! And i have to set the time with

timedatectl and afterwards should work?

I set the correct time but no effect

[root@5erver httpd]# hwclock --show
2021-10-07 09:15:55.354695+02:00

Why +02:00 i thinked Europe/Zurich is GMT +1 ?! Anyway the time is now correct.

Last edited by Morta (2021-10-07 07:18:56)

Offline

#4 2021-10-07 07:43:24

seth
Member
Registered: 2012-09-03
Posts: 24,049

Re: [solved]Certbot ssl error

/etc/ssl/certs/ISRG_Root_X1.1.pem looks good, but /etc/ssl/certs/ISRG_Root_X1.pem is dated (probably could not be replaced, causing the .1 version to come to existence.
They're supposed to be symlinks, so also check /etc/ca-certificates/extracted/

Offline

#5 2021-10-07 08:03:35

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

seth wrote:

/etc/ssl/certs/ISRG_Root_X1.1.pem looks good, but /etc/ssl/certs/ISRG_Root_X1.pem is dated (probably could not be replaced, causing the .1 version to come to existence.
They're supposed to be symlinks, so also check /etc/ca-certificates/extracted/


Ok so i have to delete ISRG_Root_X1.pem? I will check /etc/ca-certificates/extracted/ and them delete too and should work again afterwards?

Offline

#6 2021-10-07 08:07:50

seth
Member
Registered: 2012-09-03
Posts: 24,049

Re: [solved]Certbot ssl error

"Move it away" and replace it w/ ISRG_Root_X1.1.pem
But because they're supposed to be symlinks, you want to re-link those (check /etc/ca-certificates/extracted/, move away the one the bad ISRG_Root_X1.pem links to, make sure the good one is /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem and that  /etc/ssl/certs/ISRG_Root_X1.pem links there. Move away all supposingly bad versions of ISRG_Root_X1

Offline

#7 2021-10-07 08:21:56

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

seth wrote:

"Move it away" and replace it w/ ISRG_Root_X1.1.pem
But because they're supposed to be symlinks, you want to re-link those (check /etc/ca-certificates/extracted/, move away the one the bad ISRG_Root_X1.pem links to, make sure the good one is /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem and that  /etc/ssl/certs/ISRG_Root_X1.pem links there. Move away all supposingly bad versions of ISRG_Root_X1

Ok i will get a try in the afternoon

Offline

#8 2021-10-07 14:56:55

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

Ok what i did.

rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
rm /etc/ssl/certs/ISRG_Root_X1.pem

mv /etc/ssl/cets/ISRG_Root_X1.1.pem ISRG_Root_X1.pem
ln -sf /etc/ssl/certs/ISRG_Root_X1.pem /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem

rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.1.pem


It's correct?

Last edited by Morta (2021-10-07 14:57:27)

Offline

#9 2021-10-07 15:09:38

seth
Member
Registered: 2012-09-03
Posts: 24,049

Re: [solved]Certbot ssl error

No?

rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
rm /etc/ssl/certs/ISRG_Root_X1.pem

You -probably- removed the bad cert and its symlink in /etc/ssl/certs/ · Ok

mv /etc/ssl/cets/ISRG_Root_X1.1.pem ISRG_Root_X1.pem

You moved the symlink to the - probably - good cert … "somewhere"? (In what $PWD did you run that?) · fishy

ln -sf /etc/ssl/certs/ISRG_Root_X1.pem /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem

You created a dead symlink to the file you removed in the first segment · redeemable

rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.1.pem

You removed the - probably - good certificate from /etc/ca-certificates/extracted/cadir/ · why and wtf?

So where's the good certificate any why did you not *move* the bad ones away (preserving them)

Try to run

sudo /usr/bin/update-ca-trust

Offline

#10 2021-10-07 16:23:51

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

seth wrote:

No?

rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
rm /etc/ssl/certs/ISRG_Root_X1.pem

You -probably- removed the bad cert and its symlink in /etc/ssl/certs/ · Ok

mv /etc/ssl/cets/ISRG_Root_X1.1.pem ISRG_Root_X1.pem

You moved the symlink to the - probably - good cert … "somewhere"? (In what $PWD did you run that?) · fishy

ln -sf /etc/ssl/certs/ISRG_Root_X1.pem /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem

You created a dead symlink to the file you removed in the first segment · redeemable

rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.1.pem

You removed the - probably - good certificate from /etc/ca-certificates/extracted/cadir/ · why and wtf?

So where's the good certificate any why did you not *move* the bad ones away (preserving them)

Try to run

sudo /usr/bin/update-ca-trust

Ok i misunderstood someting.

The "real" cert is located in /etc/ca-certificates/extracted/cadir/ ?

I have again two certs in /etc/ca-certificates/extracted/cadir/ and /etc/ssl/certs

So i have to do it

rm /etc/ssl/certs/ISRG_Root_X1.pem
rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem

mv /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.1.pem /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
ln -sf /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem /etc/ssl/certs/ISRG_Root_X1.pem

Any why ISRG_Root_X1.1.pem is coming again? I deleted it!

Offline

#11 2021-10-07 16:27:56

seth
Member
Registered: 2012-09-03
Posts: 24,049

Re: [solved]Certbot ssl error

Did you run "/usr/bin/update-ca-trust"?

pacman -Qikk ca-certificates-mozilla

The "real" cert is located in /etc/ca-certificates/extracted/cadir/ ?

Since my magic 8-ball is broken, you'll have to provide that info…

stat /etc/ca-certificates/extracted/cadir/ISRG_Root_X1* /etc/ssl/certs/ISRG_Root_X1*
openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.pem -noout -text
openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.1.pem -noout -text

Offline

#12 2021-10-07 16:31:41

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

seth wrote:

Did you run "/usr/bin/update-ca-trust"?

pacman -Qikk ca-certificates-mozilla

The "real" cert is located in /etc/ca-certificates/extracted/cadir/ ?

Since my magic 8-ball is broken, you'll have to provide that info…

stat /etc/ca-certificates/extracted/cadir/ISRG_Root_X1* /etc/ssl/certs/ISRG_Root_X1*

[code]

[morta@lapt0p ~]$ stat /etc/ca-certificates/extracted/cadir/ISRG_Root_X1* /etc/ssl/certs/ISRG_Root_X1*
 Datei: /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
 Größe: 1939      	Blöcke: 8          EA Block: 4096   reguläre Datei
Device: 254,2	Inode: 5243353     Links: 1
Zugriff: (0444/-r--r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
Zugriff: 2021-10-06 17:58:50.766441789 +0200
Modifiziert: 2021-10-05 17:22:14.299621595 +0200
Geändert: 2021-10-05 17:22:14.299621595 +0200
Geburt: 2021-10-05 17:22:14.299621595 +0200
 Datei: /etc/ssl/certs/ISRG_Root_X1.pem -> ../../ca-certificates/extracted/cadir/ISRG_Root_X1.pem
 Größe: 54        	Blöcke: 0          EA Block: 4096   symbolische Verknüpfung
Device: 254,2	Inode: 5243734     Links: 1
Zugriff: (0777/lrwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Zugriff: 2021-10-06 17:58:50.699775123 +0200
Modifiziert: 2021-10-05 17:22:14.486289255 +0200
Geändert: 2021-10-05 17:22:14.486289255 +0200
Geburt: 2021-10-05 17:22:14.486289255 +0200

[/code]

openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.pem -noout -text

[code]
openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Jun  4 11:04:38 2015 GMT
            Not After : Jun  4 11:04:38 2035 GMT
        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
                    87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
                    75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
                    6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
                    9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
                    12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
                    7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
                    4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
                    53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
                    b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
                    fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
                    cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
                    0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
                    10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
                    63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
                    76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
                    e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
                    07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
                    0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
                    2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
                    1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
                    37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
                    29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
                    1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
                    12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
                    05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
                    13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
                    d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
                    98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
                    a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
                    3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
                    19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
                    e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
                    ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
                    33:43:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
    Signature Algorithm: sha256WithRSAEncryption
         55:1f:58:a9:bc:b2:a8:50:d0:0c:b1:d8:1a:69:20:27:29:08:
         ac:61:75:5c:8a:6e:f8:82:e5:69:2f:d5:f6:56:4b:b9:b8:73:
         10:59:d3:21:97:7e:e7:4c:71:fb:b2:d2:60:ad:39:a8:0b:ea:
         17:21:56:85:f1:50:0e:59:eb:ce:e0:59:e9:ba:c9:15:ef:86:
         9d:8f:84:80:f6:e4:e9:91:90:dc:17:9b:62:1b:45:f0:66:95:
         d2:7c:6f:c2:ea:3b:ef:1f:cf:cb:d6:ae:27:f1:a9:b0:c8:ae:
         fd:7d:7e:9a:fa:22:04:eb:ff:d9:7f:ea:91:2b:22:b1:17:0e:
         8f:f2:8a:34:5b:58:d8:fc:01:c9:54:b9:b8:26:cc:8a:88:33:
         89:4c:2d:84:3c:82:df:ee:96:57:05:ba:2c:bb:f7:c4:b7:c7:
         4e:3b:82:be:31:c8:22:73:73:92:d1:c2:80:a4:39:39:10:33:
         23:82:4c:3c:9f:86:b2:55:98:1d:be:29:86:8c:22:9b:9e:e2:
         6b:3b:57:3a:82:70:4d:dc:09:c7:89:cb:0a:07:4d:6c:e8:5d:
         8e:c9:ef:ce:ab:c7:bb:b5:2b:4e:45:d6:4a:d0:26:cc:e5:72:
         ca:08:6a:a5:95:e3:15:a1:f7:a4:ed:c9:2c:5f:a5:fb:ff:ac:
         28:02:2e:be:d7:7b:bb:e3:71:7b:90:16:d3:07:5e:46:53:7c:
         37:07:42:8c:d3:c4:96:9c:d5:99:b5:2a:e0:95:1a:80:48:ae:
         4c:39:07:ce:cc:47:a4:52:95:2b:ba:b8:fb:ad:d2:33:53:7d:
         e5:1d:4d:6d:d5:a1:b1:c7:42:6f:e6:40:27:35:5c:a3:28:b7:
         07:8d:e7:8d:33:90:e7:23:9f:fb:50:9c:79:6c:46:d5:b4:15:
         b3:96:6e:7e:9b:0c:96:3a:b8:52:2d:3f:d6:5b:e1:fb:08:c2:
         84:fe:24:a8:a3:89:da:ac:6a:e1:18:2a:b1:a8:43:61:5b:d3:
         1f:dc:3b:8d:76:f2:2d:e8:8d:75:df:17:33:6c:3d:53:fb:7b:
         cb:41:5f:ff:dc:a2:d0:61:38:e1:96:b8:ac:5d:8b:37:d7:75:
         d5:33:c0:99:11:ae:9d:41:c1:72:75:84:be:02:41:42:5f:67:
         24:48:94:d1:9b:27:be:07:3f:b9:b8:4f:81:74:51:e1:7a:b7:
         ed:9d:23:e2:be:e0:d5:28:04:13:3c:31:03:9e:dd:7a:6c:8f:
         c6:07:18:c6:7f:de:47:8e:3f:28:9e:04:06:cf:a5:54:34:77:
         bd:ec:89:9b:e9:17:43:df:5b:db:5f:fe:8e:1e:57:a2:cd:40:
         9d:7e:62:22:da:de:18:27

[/code]

openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.1.pem -noout -text

[code]
[morta@lapt0p ~]$ openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.1.pem -noout -text
Can't open /etc/ssl/certs/ISRG_Root_X1.1.pem for reading, No such file or directory
140495822062976:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/ssl/certs/ISRG_Root_X1.1.pem','r')
140495822062976:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
unable to load certificate
[/code]
[morta@lapt0p ~]$ sudo pacman -Qikk ca-certificates-mozilla
[sudo] Passwort für morta: 
Name                     : ca-certificates-mozilla
Version                  : 3.71-1
Beschreibung             : Mozilla's set of trusted CA certificates
Architektur              : x86_64
URL                      : https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
Lizenzen                 : MPL  GPL
Gruppen                  : Nichts
Stellt bereit            : Nichts
Hängt ab von             : ca-certificates-utils>=20181109-3
Optionale Abhängigkeiten : Nichts
Benötigt von             : ca-certificates
Optional für             : Nichts
In Konflikt mit          : Nichts
Ersetzt                  : Nichts
Installationsgröße       : 934,78 KiB
Packer                   : Jan Alexander Steffens (heftig)
                           <heftig@archlinux.org>
Erstellt am              : Fr 01 Okt 2021 20:00:58 CEST
Installiert am           : Di 05 Okt 2021 17:22:04 CEST
Installationsgrund       : Installiert als Abhängigkeit eines anderen Pakets
Installations-Skript     : Nein
Verifiziert durch        : Signatur

ca-certificates-mozilla: 5 Dateien gesamt, 0 veränderte Dateien

Yes i run update-ca-trust

So the real cert is /etc/ssl/certs...

Last edited by Morta (2021-10-07 16:34:21)

Offline

#13 2021-10-07 16:33:45

seth
Member
Registered: 2012-09-03
Posts: 24,049

Re: [solved]Certbot ssl error

There doesn't sem to be a second cert now and the one that is there has the proper expiration date (in 2035)
=> the issue should™ be gone?

Edit, no /etc/ssl/certs/ISRG_Root_X1.pem is  a symlink (as it's supposed to be):

/etc/ssl/certs/ISRG_Root_X1.pem -> ../../ca-certificates/extracted/cadir/ISRG_Root_X1.pem

Last edited by seth (2021-10-07 16:34:47)

Offline

#14 2021-10-07 16:44:41

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

seth wrote:

There doesn't sem to be a second cert now and the one that is there has the proper expiration date (in 2035)
=> the issue should™ be gone?

Edit, no /etc/ssl/certs/ISRG_Root_X1.pem is  a symlink (as it's supposed to be):

/etc/ssl/certs/ISRG_Root_X1.pem -> ../../ca-certificates/extracted/cadir/ISRG_Root_X1.pem

Sorry i did error...

Here the proper one

[morta@5erver certs]$ sudo update-ca-trust
[morta@5erver certs]$ openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Jan 20 19:14:03 2021 GMT
            Not After : Sep 30 18:14:03 2024 GMT
        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
                    87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
                    75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
                    6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
                    9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
                    12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
                    7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
                    4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
                    53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
                    b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
                    fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
                    cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
                    0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
                    10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
                    63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
                    76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
                    e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
                    07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
                    0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
                    2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
                    1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
                    37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
                    29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
                    1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
                    12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
                    05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
                    13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
                    d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
                    98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
                    a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
                    3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
                    19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
                    e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
                    ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
                    33:43:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            Authority Information Access: 
                CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

            X509v3 Authority Key Identifier: 
                keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.root-x1.letsencrypt.org

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

            X509v3 Subject Key Identifier: 
                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
    Signature Algorithm: sha256WithRSAEncryption
         0a:73:00:6c:96:6e:ff:0e:52:d0:ae:dd:8c:e7:5a:06:ad:2f:
         a8:e3:8f:bf:c9:0a:03:15:50:c2:e5:6c:42:bb:6f:9b:f4:b4:
         4f:c2:44:88:08:75:cc:eb:07:9b:14:62:6e:78:de:ec:27:ba:
         39:5c:f5:a2:a1:6e:56:94:70:10:53:b1:bb:e4:af:d0:a2:c3:
         2b:01:d4:96:f4:c5:20:35:33:f9:d8:61:36:e0:71:8d:b4:b8:
         b5:aa:82:45:95:c0:f2:a9:23:28:e7:d6:a1:cb:67:08:da:a0:
         43:2c:aa:1b:93:1f:c9:de:f5:ab:69:5d:13:f5:5b:86:58:22:
         ca:4d:55:e4:70:67:6d:c2:57:c5:46:39:41:cf:8a:58:83:58:
         6d:99:fe:57:e8:36:0e:f0:0e:23:aa:fd:88:97:d0:e3:5c:0e:
         94:49:b5:b5:17:35:d2:2e:bf:4e:85:ef:18:e0:85:92:eb:06:
         3b:6c:29:23:09:60:dc:45:02:4c:12:18:3b:e9:fb:0e:de:dc:
         44:f8:58:98:ae:ea:bd:45:45:a1:88:5d:66:ca:fe:10:e9:6f:
         82:c8:11:42:0d:fb:e9:ec:e3:86:00:de:9d:10:e3:38:fa:a4:
         7d:b1:d8:e8:49:82:84:06:9b:2b:e8:6b:4f:01:0c:38:77:2e:
         f9:dd:e7:39
[morta@5erver certs]$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[morta@5erver certs]$ 

Still the error but the cert is valid till 2024

Offline

#15 2021-10-07 19:05:59

seth
Member
Registered: 2012-09-03
Posts: 24,049

Re: [solved]Certbot ssl error

certbot wrote:

See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Offline

#16 2021-10-08 09:58:00

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

seth wrote:
certbot wrote:

See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

morta@5erver ~]$ cat /var/log/letsencrypt/letsencrypt.log or
cat: /var/log/letsencrypt/letsencrypt.log: Keine Berechtigung
cat: or: Datei oder Verzeichnis nicht gefunden
[morta@5erver ~]$ sudo cat /var/log/letsencrypt/letsencrypt.log 
2021-10-08 11:52:26,137:DEBUG:certbot._internal.main:certbot version: 1.19.0
2021-10-08 11:52:26,138:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2021-10-08 11:52:26,138:DEBUG:certbot._internal.main:Arguments: ['-v']
2021-10-08 11:52:26,138:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-10-08 11:52:26,156:DEBUG:certbot._internal.log:Root logging level set at 20
2021-10-08 11:52:26,156:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2021-10-08 11:52:26,221:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.50
2021-10-08 11:52:26,455:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_arch.ArchConfigurator object at 0x7f3706d58b80>
Prep: True
2021-10-08 11:52:26,455:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_arch.ArchConfigurator object at 0x7f3706d58b80> and installer <certbot_apache._internal.override_arch.ArchConfigurator object at 0x7f3706d58b80>
2021-10-08 11:52:26,455:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2021-10-08 11:52:26,459:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/113582268', new_authzr_uri=None, terms_of_service=None), b5ac80215db8a16197e4d6cdb993bf7d, Meta(creation_dt=datetime.datetime(2021, 2, 22, 17, 48, 3, tzinfo=<UTC>), creation_host='5erver.localdomain', register_to_eff=None))>
2021-10-08 11:52:26,460:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-10-08 11:52:26,461:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-10-08 11:52:26,814:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.9/site-packages/urllib3/connection.py", line 411, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.9/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.9/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3.9/site-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.19.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3.9/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1572, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1278, in run
    le_client = _init_le_client(config, authenticator, installer)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 768, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 262, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 44, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/usr/lib/python3.9/site-packages/acme/client.py", line 840, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/usr/lib/python3.9/site-packages/acme/client.py", line 1194, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3.9/site-packages/acme/client.py", line 1133, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
2021-10-08 11:52:26,821:ERROR:certbot._internal.log:An unexpected error occurred:
2021-10-08 11:52:26,821:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
[morta@5erver ~]$ 

It's like chinese for me... Any help?

Offline

#17 2021-10-08 13:38:44

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

Can i uninstall all certs and reinstall certbot? And looks if works...

How i remove all certs and reinstall it?

Offline

#18 2021-10-08 14:41:15

seth
Member
Registered: 2012-09-03
Posts: 24,049

Re: [solved]Certbot ssl error

Did you restart apache (or reboot) after fixing the certs?

Offline

#19 2021-10-08 16:17:05

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

seth wrote:

Did you restart apache (or reboot) after fixing the certs?

A wonder certbot working again :-)


Thank you very much. Can i spend somewhere a little amount for your server costs?

Offline

#20 2021-10-08 19:29:26

seth
Member
Registered: 2012-09-03
Posts: 24,049

Re: [solved]Certbot ssl error

I guess archlinux will happily accept donations at https://archlinux.org/donate/ - I do this for my personal entertainment only ;-)

Offline

#21 2021-10-08 20:22:20

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

seth wrote:

I guess archlinux will happily accept donations at https://archlinux.org/donate/ - I do this for my personal entertainment only ;-)

I did it ;-) but unfortunately the error is coming again. Can i remove all certs from system and reinstall it?

And after reboot a ISRG_Root_X1.1.pem is again there...

Last edited by Morta (2021-10-08 20:24:42)

Offline

#22 2021-10-08 20:27:35

seth
Member
Registered: 2012-09-03
Posts: 24,049

Re: [solved]Certbot ssl error

The error is coming again "with that file"?
----
Edit: "yes"…
----
You should figure where the bogus certificate comes from, typically they're built from /usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit but that seems to be fine according to #12
Also is should™ not be rebuild all the time w/o updates of the relevant packages.

So if that files shows up again it has to come from somewhere, you could audit it to (hopefully) log what creates it.
https://wiki.archlinux.org/title/Audit_ … ies_access

Maybe you can recall setting up sth. else regarding your certificates?

Last edited by seth (2021-10-08 20:27:59)

Offline

#23 2021-10-08 21:10:44

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

seth wrote:

The error is coming again "with that file"?
----
Edit: "yes"…
----
You should figure where the bogus certificate comes from, typically they're built from /usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit but that seems to be fine according to #12
Also is should™ not be rebuild all the time w/o updates of the relevant packages.

So if that files shows up again it has to come from somewhere, you could audit it to (hopefully) log what creates it.
https://wiki.archlinux.org/title/Audit_ … ies_access

Maybe you can recall setting up sth. else regarding your certificates?

I see the hole thing gonna be more complexity as i hoped. So i will try tomorrow to log this anoying error.

I hope for a update of the reponsally packages

Offline

#24 2021-10-08 21:21:00

seth
Member
Registered: 2012-09-03
Posts: 24,049

Re: [solved]Certbot ssl error

ls -R /usr/share/p11-kit/modules/ /{etc,usr/share}/ca-certificates/trust-source

Offline

#25 2021-10-09 04:30:46

Morta
Member
Registered: 2019-07-07
Posts: 101

Re: [solved]Certbot ssl error

seth wrote:
ls -R /usr/share/p11-kit/modules/ /{etc,usr/share}/ca-certificates/trust-source
[root@5erver certs]# ls -R /usr/share/p11-kit/modules/ /{etc,usr/share}/ca-certificates/trust-source
/etc/ca-certificates/trust-source:
anchors  blocklist  free-vpn.it.p11-kit  ISRG_Root_X1.p11-kit  R3.p11-kit

/etc/ca-certificates/trust-source/anchors:
localhost.pem

/etc/ca-certificates/trust-source/blocklist:

/usr/share/ca-certificates/trust-source:
anchors  blocklist  mozilla.trust.p11-kit

/usr/share/ca-certificates/trust-source/anchors:

/usr/share/ca-certificates/trust-source/blocklist:

/usr/share/p11-kit/modules/:
p11-kit-trust.module

Last edited by Morta (2021-10-09 09:00:10)

Offline

Board footer

Powered by FluxBB