You are not logged in.
I asked in letsencrypt community but no sucsess, so i try here!
https://community.letsencrypt.org/t/ssl … /162292/10
I got this error
sudo certbot --apache
It produced this output:
n unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
Anyone a clue?
Last edited by Morta (2021-10-09 14:08:47)
Offline
Either the TLS certificate of said site is invalid, or, more likely, your local machine has an incorrect date an/or time set.
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
Either the TLS certificate of said site is invalid, or, more likely, your local machine has an incorrect date an/or time set.
Ok but that the cert of letsencrypt is invalid is unpossible?! And i have to set the time with
timedatectl and afterwards should work?
I set the correct time but no effect
[root@5erver httpd]# hwclock --show
2021-10-07 09:15:55.354695+02:00
Why +02:00 i thinked Europe/Zurich is GMT +1 ?! Anyway the time is now correct.
Last edited by Morta (2021-10-07 07:18:56)
Offline
/etc/ssl/certs/ISRG_Root_X1.1.pem looks good, but /etc/ssl/certs/ISRG_Root_X1.pem is dated (probably could not be replaced, causing the .1 version to come to existence.
They're supposed to be symlinks, so also check /etc/ca-certificates/extracted/
Online
/etc/ssl/certs/ISRG_Root_X1.1.pem looks good, but /etc/ssl/certs/ISRG_Root_X1.pem is dated (probably could not be replaced, causing the .1 version to come to existence.
They're supposed to be symlinks, so also check /etc/ca-certificates/extracted/
Ok so i have to delete ISRG_Root_X1.pem? I will check /etc/ca-certificates/extracted/ and them delete too and should work again afterwards?
Offline
"Move it away" and replace it w/ ISRG_Root_X1.1.pem
But because they're supposed to be symlinks, you want to re-link those (check /etc/ca-certificates/extracted/, move away the one the bad ISRG_Root_X1.pem links to, make sure the good one is /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem and that /etc/ssl/certs/ISRG_Root_X1.pem links there. Move away all supposingly bad versions of ISRG_Root_X1
Online
"Move it away" and replace it w/ ISRG_Root_X1.1.pem
But because they're supposed to be symlinks, you want to re-link those (check /etc/ca-certificates/extracted/, move away the one the bad ISRG_Root_X1.pem links to, make sure the good one is /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem and that /etc/ssl/certs/ISRG_Root_X1.pem links there. Move away all supposingly bad versions of ISRG_Root_X1
Ok i will get a try in the afternoon
Offline
Ok what i did.
rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
rm /etc/ssl/certs/ISRG_Root_X1.pem
mv /etc/ssl/cets/ISRG_Root_X1.1.pem ISRG_Root_X1.pem
ln -sf /etc/ssl/certs/ISRG_Root_X1.pem /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.1.pem
It's correct?
Last edited by Morta (2021-10-07 14:57:27)
Offline
No?
rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
rm /etc/ssl/certs/ISRG_Root_X1.pem
You -probably- removed the bad cert and its symlink in /etc/ssl/certs/ · Ok
mv /etc/ssl/cets/ISRG_Root_X1.1.pem ISRG_Root_X1.pem
You moved the symlink to the - probably - good cert … "somewhere"? (In what $PWD did you run that?) · fishy
ln -sf /etc/ssl/certs/ISRG_Root_X1.pem /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
You created a dead symlink to the file you removed in the first segment · redeemable
rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.1.pem
You removed the - probably - good certificate from /etc/ca-certificates/extracted/cadir/ · why and wtf?
So where's the good certificate any why did you not *move* the bad ones away (preserving them)
Try to run
sudo /usr/bin/update-ca-trust
Online
No?
rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem rm /etc/ssl/certs/ISRG_Root_X1.pem
You -probably- removed the bad cert and its symlink in /etc/ssl/certs/ · Ok
mv /etc/ssl/cets/ISRG_Root_X1.1.pem ISRG_Root_X1.pem
You moved the symlink to the - probably - good cert … "somewhere"? (In what $PWD did you run that?) · fishy
ln -sf /etc/ssl/certs/ISRG_Root_X1.pem /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
You created a dead symlink to the file you removed in the first segment · redeemable
rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.1.pem
You removed the - probably - good certificate from /etc/ca-certificates/extracted/cadir/ · why and wtf?
So where's the good certificate any why did you not *move* the bad ones away (preserving them)
Try to run
sudo /usr/bin/update-ca-trust
Ok i misunderstood someting.
The "real" cert is located in /etc/ca-certificates/extracted/cadir/ ?
I have again two certs in /etc/ca-certificates/extracted/cadir/ and /etc/ssl/certs
So i have to do it
rm /etc/ssl/certs/ISRG_Root_X1.pem
rm /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
mv /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.1.pem /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem
ln -sf /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem /etc/ssl/certs/ISRG_Root_X1.pem
Any why ISRG_Root_X1.1.pem is coming again? I deleted it!
Offline
Did you run "/usr/bin/update-ca-trust"?
pacman -Qikk ca-certificates-mozilla
The "real" cert is located in /etc/ca-certificates/extracted/cadir/ ?
Since my magic 8-ball is broken, you'll have to provide that info…
stat /etc/ca-certificates/extracted/cadir/ISRG_Root_X1* /etc/ssl/certs/ISRG_Root_X1*
openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.pem -noout -text
openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.1.pem -noout -text
Online
Did you run "/usr/bin/update-ca-trust"?
pacman -Qikk ca-certificates-mozilla
The "real" cert is located in /etc/ca-certificates/extracted/cadir/ ?
Since my magic 8-ball is broken, you'll have to provide that info…
stat /etc/ca-certificates/extracted/cadir/ISRG_Root_X1* /etc/ssl/certs/ISRG_Root_X1* [code] [morta@lapt0p ~]$ stat /etc/ca-certificates/extracted/cadir/ISRG_Root_X1* /etc/ssl/certs/ISRG_Root_X1* Datei: /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem Größe: 1939 Blöcke: 8 EA Block: 4096 reguläre Datei Device: 254,2 Inode: 5243353 Links: 1 Zugriff: (0444/-r--r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Zugriff: 2021-10-06 17:58:50.766441789 +0200 Modifiziert: 2021-10-05 17:22:14.299621595 +0200 Geändert: 2021-10-05 17:22:14.299621595 +0200 Geburt: 2021-10-05 17:22:14.299621595 +0200 Datei: /etc/ssl/certs/ISRG_Root_X1.pem -> ../../ca-certificates/extracted/cadir/ISRG_Root_X1.pem Größe: 54 Blöcke: 0 EA Block: 4096 symbolische Verknüpfung Device: 254,2 Inode: 5243734 Links: 1 Zugriff: (0777/lrwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Zugriff: 2021-10-06 17:58:50.699775123 +0200 Modifiziert: 2021-10-05 17:22:14.486289255 +0200 Geändert: 2021-10-05 17:22:14.486289255 +0200 Geburt: 2021-10-05 17:22:14.486289255 +0200 [/code] openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.pem -noout -text [code] openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 82:10:cf:b0:d2:40:e3:59:44:63:e0:bb:63:82:8b:00 Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1 Validity Not Before: Jun 4 11:04:38 2015 GMT Not After : Jun 4 11:04:38 2035 GMT Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c: 87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7: 75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86: 6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31: 9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff: 12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f: 7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2: 4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23: 53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74: b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c: fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e: cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25: 0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf: 10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4: 63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c: 76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10: e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02: 07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb: 0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4: 2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12: 1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47: 37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41: 29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40: 1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7: 12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f: 05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50: 13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30: d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b: 98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b: a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86: 3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d: 19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db: e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88: ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5: 33:43:4f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E Signature Algorithm: sha256WithRSAEncryption 55:1f:58:a9:bc:b2:a8:50:d0:0c:b1:d8:1a:69:20:27:29:08: ac:61:75:5c:8a:6e:f8:82:e5:69:2f:d5:f6:56:4b:b9:b8:73: 10:59:d3:21:97:7e:e7:4c:71:fb:b2:d2:60:ad:39:a8:0b:ea: 17:21:56:85:f1:50:0e:59:eb:ce:e0:59:e9:ba:c9:15:ef:86: 9d:8f:84:80:f6:e4:e9:91:90:dc:17:9b:62:1b:45:f0:66:95: d2:7c:6f:c2:ea:3b:ef:1f:cf:cb:d6:ae:27:f1:a9:b0:c8:ae: fd:7d:7e:9a:fa:22:04:eb:ff:d9:7f:ea:91:2b:22:b1:17:0e: 8f:f2:8a:34:5b:58:d8:fc:01:c9:54:b9:b8:26:cc:8a:88:33: 89:4c:2d:84:3c:82:df:ee:96:57:05:ba:2c:bb:f7:c4:b7:c7: 4e:3b:82:be:31:c8:22:73:73:92:d1:c2:80:a4:39:39:10:33: 23:82:4c:3c:9f:86:b2:55:98:1d:be:29:86:8c:22:9b:9e:e2: 6b:3b:57:3a:82:70:4d:dc:09:c7:89:cb:0a:07:4d:6c:e8:5d: 8e:c9:ef:ce:ab:c7:bb:b5:2b:4e:45:d6:4a:d0:26:cc:e5:72: ca:08:6a:a5:95:e3:15:a1:f7:a4:ed:c9:2c:5f:a5:fb:ff:ac: 28:02:2e:be:d7:7b:bb:e3:71:7b:90:16:d3:07:5e:46:53:7c: 37:07:42:8c:d3:c4:96:9c:d5:99:b5:2a:e0:95:1a:80:48:ae: 4c:39:07:ce:cc:47:a4:52:95:2b:ba:b8:fb:ad:d2:33:53:7d: e5:1d:4d:6d:d5:a1:b1:c7:42:6f:e6:40:27:35:5c:a3:28:b7: 07:8d:e7:8d:33:90:e7:23:9f:fb:50:9c:79:6c:46:d5:b4:15: b3:96:6e:7e:9b:0c:96:3a:b8:52:2d:3f:d6:5b:e1:fb:08:c2: 84:fe:24:a8:a3:89:da:ac:6a:e1:18:2a:b1:a8:43:61:5b:d3: 1f:dc:3b:8d:76:f2:2d:e8:8d:75:df:17:33:6c:3d:53:fb:7b: cb:41:5f:ff:dc:a2:d0:61:38:e1:96:b8:ac:5d:8b:37:d7:75: d5:33:c0:99:11:ae:9d:41:c1:72:75:84:be:02:41:42:5f:67: 24:48:94:d1:9b:27:be:07:3f:b9:b8:4f:81:74:51:e1:7a:b7: ed:9d:23:e2:be:e0:d5:28:04:13:3c:31:03:9e:dd:7a:6c:8f: c6:07:18:c6:7f:de:47:8e:3f:28:9e:04:06:cf:a5:54:34:77: bd:ec:89:9b:e9:17:43:df:5b:db:5f:fe:8e:1e:57:a2:cd:40: 9d:7e:62:22:da:de:18:27 [/code] openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.1.pem -noout -text [code] [morta@lapt0p ~]$ openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.1.pem -noout -text Can't open /etc/ssl/certs/ISRG_Root_X1.1.pem for reading, No such file or directory 140495822062976:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/ssl/certs/ISRG_Root_X1.1.pem','r') 140495822062976:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76: unable to load certificate [/code]
[morta@lapt0p ~]$ sudo pacman -Qikk ca-certificates-mozilla
[sudo] Passwort für morta:
Name : ca-certificates-mozilla
Version : 3.71-1
Beschreibung : Mozilla's set of trusted CA certificates
Architektur : x86_64
URL : https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
Lizenzen : MPL GPL
Gruppen : Nichts
Stellt bereit : Nichts
Hängt ab von : ca-certificates-utils>=20181109-3
Optionale Abhängigkeiten : Nichts
Benötigt von : ca-certificates
Optional für : Nichts
In Konflikt mit : Nichts
Ersetzt : Nichts
Installationsgröße : 934,78 KiB
Packer : Jan Alexander Steffens (heftig)
<heftig@archlinux.org>
Erstellt am : Fr 01 Okt 2021 20:00:58 CEST
Installiert am : Di 05 Okt 2021 17:22:04 CEST
Installationsgrund : Installiert als Abhängigkeit eines anderen Pakets
Installations-Skript : Nein
Verifiziert durch : Signatur
ca-certificates-mozilla: 5 Dateien gesamt, 0 veränderte Dateien
Yes i run update-ca-trust
So the real cert is /etc/ssl/certs...
Last edited by Morta (2021-10-07 16:34:21)
Offline
There doesn't sem to be a second cert now and the one that is there has the proper expiration date (in 2035)
=> the issue should™ be gone?
Edit, no /etc/ssl/certs/ISRG_Root_X1.pem is a symlink (as it's supposed to be):
/etc/ssl/certs/ISRG_Root_X1.pem -> ../../ca-certificates/extracted/cadir/ISRG_Root_X1.pem
Last edited by seth (2021-10-07 16:34:47)
Online
There doesn't sem to be a second cert now and the one that is there has the proper expiration date (in 2035)
=> the issue should™ be gone?Edit, no /etc/ssl/certs/ISRG_Root_X1.pem is a symlink (as it's supposed to be):
/etc/ssl/certs/ISRG_Root_X1.pem -> ../../ca-certificates/extracted/cadir/ISRG_Root_X1.pem
Sorry i did error...
Here the proper one
[morta@5erver certs]$ sudo update-ca-trust
[morta@5erver certs]$ openssl x509 -in /etc/ssl/certs/ISRG_Root_X1.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
33:43:4f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Authority Information Access:
CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c
X509v3 Authority Key Identifier:
keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.root-x1.letsencrypt.org
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl
X509v3 Subject Key Identifier:
79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
Signature Algorithm: sha256WithRSAEncryption
0a:73:00:6c:96:6e:ff:0e:52:d0:ae:dd:8c:e7:5a:06:ad:2f:
a8:e3:8f:bf:c9:0a:03:15:50:c2:e5:6c:42:bb:6f:9b:f4:b4:
4f:c2:44:88:08:75:cc:eb:07:9b:14:62:6e:78:de:ec:27:ba:
39:5c:f5:a2:a1:6e:56:94:70:10:53:b1:bb:e4:af:d0:a2:c3:
2b:01:d4:96:f4:c5:20:35:33:f9:d8:61:36:e0:71:8d:b4:b8:
b5:aa:82:45:95:c0:f2:a9:23:28:e7:d6:a1:cb:67:08:da:a0:
43:2c:aa:1b:93:1f:c9:de:f5:ab:69:5d:13:f5:5b:86:58:22:
ca:4d:55:e4:70:67:6d:c2:57:c5:46:39:41:cf:8a:58:83:58:
6d:99:fe:57:e8:36:0e:f0:0e:23:aa:fd:88:97:d0:e3:5c:0e:
94:49:b5:b5:17:35:d2:2e:bf:4e:85:ef:18:e0:85:92:eb:06:
3b:6c:29:23:09:60:dc:45:02:4c:12:18:3b:e9:fb:0e:de:dc:
44:f8:58:98:ae:ea:bd:45:45:a1:88:5d:66:ca:fe:10:e9:6f:
82:c8:11:42:0d:fb:e9:ec:e3:86:00:de:9d:10:e3:38:fa:a4:
7d:b1:d8:e8:49:82:84:06:9b:2b:e8:6b:4f:01:0c:38:77:2e:
f9:dd:e7:39
[morta@5erver certs]$ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[morta@5erver certs]$
Still the error but the cert is valid till 2024
Offline
See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Online
certbot wrote:See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
morta@5erver ~]$ cat /var/log/letsencrypt/letsencrypt.log or
cat: /var/log/letsencrypt/letsencrypt.log: Keine Berechtigung
cat: or: Datei oder Verzeichnis nicht gefunden
[morta@5erver ~]$ sudo cat /var/log/letsencrypt/letsencrypt.log
2021-10-08 11:52:26,137:DEBUG:certbot._internal.main:certbot version: 1.19.0
2021-10-08 11:52:26,138:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2021-10-08 11:52:26,138:DEBUG:certbot._internal.main:Arguments: ['-v']
2021-10-08 11:52:26,138:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#dns-cloudflare,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-10-08 11:52:26,156:DEBUG:certbot._internal.log:Root logging level set at 20
2021-10-08 11:52:26,156:DEBUG:certbot._internal.plugins.selection:Requested authenticator None and installer None
2021-10-08 11:52:26,221:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.50
2021-10-08 11:52:26,455:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_arch.ArchConfigurator object at 0x7f3706d58b80>
Prep: True
2021-10-08 11:52:26,455:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_arch.ArchConfigurator object at 0x7f3706d58b80> and installer <certbot_apache._internal.override_arch.ArchConfigurator object at 0x7f3706d58b80>
2021-10-08 11:52:26,455:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2021-10-08 11:52:26,459:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/113582268', new_authzr_uri=None, terms_of_service=None), b5ac80215db8a16197e4d6cdb993bf7d, Meta(creation_dt=datetime.datetime(2021, 2, 22, 17, 48, 3, tzinfo=<UTC>), creation_host='5erver.localdomain', register_to_eff=None))>
2021-10-08 11:52:26,460:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-10-08 11:52:26,461:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-10-08 11:52:26,814:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 699, in urlopen
httplib_response = self._make_request(
File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 382, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
conn.connect()
File "/usr/lib/python3.9/site-packages/urllib3/connection.py", line 411, in connect
self.sock = ssl_wrap_socket(
File "/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(
File "/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.9/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.9/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 439, in send
resp = conn.urlopen(
File "/usr/lib/python3.9/site-packages/urllib3/connectionpool.py", line 755, in urlopen
retries = retries.increment(
File "/usr/lib/python3.9/site-packages/urllib3/util/retry.py", line 574, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in <module>
sys.exit(load_entry_point('certbot==1.19.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3.9/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1572, in main
return config.func(config, plugins)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 1278, in run
le_client = _init_le_client(config, authenticator, installer)
File "/usr/lib/python3.9/site-packages/certbot/_internal/main.py", line 768, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 262, in __init__
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/lib/python3.9/site-packages/certbot/_internal/client.py", line 44, in acme_from_config_key
client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File "/usr/lib/python3.9/site-packages/acme/client.py", line 840, in __init__
directory = messages.Directory.from_json(net.get(server).json())
File "/usr/lib/python3.9/site-packages/acme/client.py", line 1194, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
File "/usr/lib/python3.9/site-packages/acme/client.py", line 1133, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 542, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.9/site-packages/requests/sessions.py", line 655, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.9/site-packages/requests/adapters.py", line 514, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
2021-10-08 11:52:26,821:ERROR:certbot._internal.log:An unexpected error occurred:
2021-10-08 11:52:26,821:ERROR:certbot._internal.log:requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
[morta@5erver ~]$
It's like chinese for me... Any help?
Offline
Can i uninstall all certs and reinstall certbot? And looks if works...
How i remove all certs and reinstall it?
Offline
Did you restart apache (or reboot) after fixing the certs?
Online
Did you restart apache (or reboot) after fixing the certs?
A wonder certbot working again :-)
Thank you very much. Can i spend somewhere a little amount for your server costs?
Offline
I guess archlinux will happily accept donations at https://archlinux.org/donate/ - I do this for my personal entertainment only ;-)
Online
I guess archlinux will happily accept donations at https://archlinux.org/donate/ - I do this for my personal entertainment only ;-)
I did it ;-) but unfortunately the error is coming again. Can i remove all certs from system and reinstall it?
And after reboot a ISRG_Root_X1.1.pem is again there...
Last edited by Morta (2021-10-08 20:24:42)
Offline
The error is coming again "with that file"?
----
Edit: "yes"…
----
You should figure where the bogus certificate comes from, typically they're built from /usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit but that seems to be fine according to #12
Also is should™ not be rebuild all the time w/o updates of the relevant packages.
So if that files shows up again it has to come from somewhere, you could audit it to (hopefully) log what creates it.
https://wiki.archlinux.org/title/Audit_ … ies_access
Maybe you can recall setting up sth. else regarding your certificates?
Last edited by seth (2021-10-08 20:27:59)
Online
The error is coming again "with that file"?
----
Edit: "yes"…
----
You should figure where the bogus certificate comes from, typically they're built from /usr/share/ca-certificates/trust-source/mozilla.trust.p11-kit but that seems to be fine according to #12
Also is should™ not be rebuild all the time w/o updates of the relevant packages.So if that files shows up again it has to come from somewhere, you could audit it to (hopefully) log what creates it.
https://wiki.archlinux.org/title/Audit_ … ies_accessMaybe you can recall setting up sth. else regarding your certificates?
I see the hole thing gonna be more complexity as i hoped. So i will try tomorrow to log this anoying error.
I hope for a update of the reponsally packages
Offline
ls -R /usr/share/p11-kit/modules/ /{etc,usr/share}/ca-certificates/trust-source
Online
ls -R /usr/share/p11-kit/modules/ /{etc,usr/share}/ca-certificates/trust-source
[root@5erver certs]# ls -R /usr/share/p11-kit/modules/ /{etc,usr/share}/ca-certificates/trust-source
/etc/ca-certificates/trust-source:
anchors blocklist free-vpn.it.p11-kit ISRG_Root_X1.p11-kit R3.p11-kit
/etc/ca-certificates/trust-source/anchors:
localhost.pem
/etc/ca-certificates/trust-source/blocklist:
/usr/share/ca-certificates/trust-source:
anchors blocklist mozilla.trust.p11-kit
/usr/share/ca-certificates/trust-source/anchors:
/usr/share/ca-certificates/trust-source/blocklist:
/usr/share/p11-kit/modules/:
p11-kit-trust.module
Last edited by Morta (2021-10-09 09:00:10)
Offline