You are not logged in.
- Topics: Active | Unanswered
#1 2021-12-05 18:07:43
- Grahf
- Member
- Registered: 2019-09-03
- Posts: 10
[solved]certbot 'certificate has expired'
I basically can't use certbot. Everytime I try and use it I get the error message
`
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1129)')))
`
sudo /usr/bin/update-ca-trust does nothing
Found this https://bbs.archlinux.org/viewtopic.php?id=270218. Appears to be the same issue as mine but I'm not sure.
Users final solution was:
- I delete all certs with ISRG_Root_X1.pem
- Removed free-vpn.it.p11-kit ISRG_Root_X1.p11-kit
- Renamed ISRG_Root_X1.1.pem to ISRG_Root_X1.pem
- Linked ISRG_Root_X1.pem to /etc/ssl/certs
- Updated the certs with update-ca-trust
- Restarted httpd service
I'm probably going to try that unless someone tells me otherwise.
Last edited by Grahf (2021-12-05 20:03:59)
Offline
#2 2021-12-05 19:11:20
- ewaller
- Administrator
- From: Pasadena, CA
- Registered: 2009-07-13
- Posts: 20,583
Re: [solved]certbot 'certificate has expired'
First and foremost, are you sure your server is reachable from the public domain at the domain for which you are trying to obtain a certificate? If you want me to test it, feel free to send me an email with a link.
What are you using as a seb facing server? Nginx? Apache?
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
The shortest way to ruin a country is to give power to demagogues.— Dionysius of Halicarnassus
---
How to Ask Questions the Smart Way
Offline
#3 2021-12-05 19:22:02
- Grahf
- Member
- Registered: 2019-09-03
- Posts: 10
Re: [solved]certbot 'certificate has expired'
Just fixed it. Not sure if I should delete this post or not.
What I did:
removed ISRG_Root_X1.pem in /etc/ssl/certs and /etc/ca-certificates/extracted/cadir
removed ISRG_Root_X1.p11-kit (forget where it was)
renamed ISRG_Root_X1.1.pem to ISRG_Root_X1.pem in /etc/ssl/certs and /etc/ca-certificates/extracted/cadir (sudo mv ISRG_Root_X1.1.pem ISRG_Root_X1.pem)
created systemlink (sudo ln -sf /etc/ssl/certs/ISRG_Root_X1.pem /etc/ca-certificates/extracted/cadir/ISRG_Root_X1.pem)
ran sudo /usr/bin/update-ca-trust
Offline