I can't get Let's Encypt to renew my SSL certificate

anon_500 · 2024-01-13 12:24:34

I set up my SSL certificate from Let's Encrypt as follows:

sudo systemctl enable --now ufw
sudo ufw allow 80
sleep 5
sudo certbot certonly --standalone --preferred-challenges http -d mydomain.com
sudo cp /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/ca-certificates/trust-source/anchors/fullchain.crt
sudo trust extract-compat
sudo ln -s /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/ssl/private/server.key
sudo ln -s /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/ssl/certs/server.crt

And it works great (I use it primarily for my email server). I have never, however, been able to renew the certificate. Here's what happens when I try:

# certbot certonly -d mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
2: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1006)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Trying the other option:

# certbot certonly -d mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Runs an HTTP server locally which serves the necessary validation files under
the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP
server already running. HTTP challenge only (wildcards not supported).
(standalone)
2: Saves the necessary validation files to a .well-known/acme-challenge/
directory within the nominated webroot path. A seperate HTTP server must be
running and serving files from the webroot path. HTTP challenge only (wildcards
not supported). (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1006)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

ayekat · 2024-01-13 14:56:14

Hi and welcome to the forums!

anon_500 wrote:

[…]unable to get issuer certificate[…]

What if you try to manually connect to that address?

curl https://acme-v2.api.letsencrypt.org/directory

What is the output if you run it with -v as instructed in the error message?

Also, do you have a webserver running on port 80 already? If yes, at least with option 2, it should be configured to forward .well-known/acme-challenge to some directory that Certbot can write to. Otherwise the ACME server's requests will end up with whatever Web site/application is serving that request.
And for option 1, I assume it would result in a conflict (though I've honestly never tried that variant).

anon_500 · 2024-01-13 16:59:35

I appreciate your help but I don't understand it. I haven't got any webserver running on port 80. I didn't need one to get the certificate in the first place. Now I have to jump through a bunch of hoops to renew? Could you please clarify because I'm really in the dark.

Last edited by anon_500 (2024-01-13 22:09:51)

ayekat · 2024-01-13 19:39:28

anon_500 wrote:

I haven't got any webserver running port 80.

Just wanted to be sure there isn't any conflict there. We cannot know what has (or has not) changed since the initial certificate generation.

If you find time, please also provide the following:

ayekat wrote:

What if you try to manually connect to that address?
curl https://acme-v2.api.letsencrypt.org/directory
What is the output if you run it with -v as instructed in the error message?

anon_500 · 2024-01-13 22:09:07

# curl -v https://acme-v02.api.letsencrypt.org/directory
*   Trying 172.65.32.248:443...
* Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: Dec 28 19:04:44 2023 GMT
*  expire date: Mar 27 19:04:43 2024 GMT
*  subjectAltName: host "acme-v02.api.letsencrypt.org" matched cert's "acme-v02.api.letsencrypt.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x560d75947560)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /directory HTTP/2
> Host: acme-v02.api.letsencrypt.org
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200
< server: nginx
< date: Sat, 13 Jan 2024 22:07:07 GMT
< content-type: application/json
< content-length: 752
< cache-control: public, max-age=0, no-cache
< x-frame-options: DENY
< strict-transport-security: max-age=604800
<
{
  "aFMLgtMNMzo": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-02/renewalInfo/",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
* Connection #0 to host acme-v02.api.letsencrypt.org left intact

Last edited by anon_500 (2024-01-13 22:13:42)

ayekat · 2024-01-14 14:06:29

OK, curl seems to work fine.

But the -v I meant for certbot (the error message was from certbot).

Last edited by ayekat (2024-01-14 14:06:51)

anon_500 · 2024-01-15 18:14:50

I've tried it, but... well here's the output:

# certbot -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

Not very helpful. I don't understand why this always causes a problem. My only solution previously has been to wipe the entire system and start again. Surely must be a better way...

ayekat · 2024-01-15 20:44:46

And… what is in that debug log?

--edit Actually, have you tried renewing the certificate?
AFAIK you're supposed to run `certbot renew`, not get a new certificate. See also https://wiki.archlinux.org/title/Certbo … ic_renewal and the content of certbot-renew.service (system cat …).

Last edited by ayekat (2024-01-15 20:48:21)

anon_500 · 2024-01-15 22:03:39

# certbot --standalone renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/reckeng.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate reckeng.com with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1006)')))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/reckeng.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Is the problem that teh certificate has expired?

ayekat · 2024-02-04 09:59:07

I just noticed this hasn't been resolved yet, sorry.

Could you please paste the debug log mentioned in the output for the last renewal attempt?

Arch Linux

#1 2024-01-13 12:24:34

I can't get Let's Encypt to renew my SSL certificate

#2 2024-01-13 14:56:14

Re: I can't get Let's Encypt to renew my SSL certificate

#3 2024-01-13 16:59:35

Re: I can't get Let's Encypt to renew my SSL certificate

#4 2024-01-13 19:39:28

Re: I can't get Let's Encypt to renew my SSL certificate

#5 2024-01-13 22:09:07

Re: I can't get Let's Encypt to renew my SSL certificate

#6 2024-01-14 14:06:29

Re: I can't get Let's Encypt to renew my SSL certificate

#7 2024-01-15 18:14:50

Re: I can't get Let's Encypt to renew my SSL certificate

#8 2024-01-15 20:44:46

Re: I can't get Let's Encypt to renew my SSL certificate

#9 2024-01-15 22:03:39

Re: I can't get Let's Encypt to renew my SSL certificate

#10 2024-02-04 09:59:07

Re: I can't get Let's Encypt to renew my SSL certificate

Board footer