Certbot renewal [SSL: CERTIFICATE_VERIFY_FAILED]

certificate, certification, letsencrypt, nginx

0

1

Привет лор , столкнулся с тем что certbot по крону срабатывал , но с ошибками в итоге сейчас сертификат истек, подскажите куда копать на офф форуме чувак попросил логи и пропал. На всякий случай после провала обновил certbot и openssl , но от этого «0» эффекта

Пробовал удалить 1 из сертификатов (их всего 4) и заново заюзать выдачу сертификата

домен заменен example.com

полный лог тут Здесь!


certbot --nginx -d new.example.com

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 252, in connect
    ssl_version=resolved_ssl_version)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 305, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
    _context=self)
  File "/usr/lib/python3.5/ssl.py", line 752, in __init__
    self.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 589, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
Please see the logfiles in /var/log/letsencrypt for more details.


certbot renew --dry-run

Processing /etc/letsencrypt/renewal/youtrack.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Attempting to renew cert (youtrack.example.com) from /etc/letsencrypt/renewal/youtrack.example.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Processing /etc/letsencrypt/renewal/gitlab.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Attempting to renew cert (gitlab.example.com) from /etc/letsencrypt/renewal/gitlab.example.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Processing /etc/letsencrypt/renewal/office.example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org
Attempting to renew cert (office.example.com) from /etc/letsencrypt/renewal/office.example.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/youtrack.example.com/fullchain.pem (failure)
  /etc/letsencrypt/live/gitlab.example.com/fullchain.pem (failure)
  /etc/letsencrypt/live/office.example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/youtrack.example.com/fullchain.pem (failure)
  /etc/letsencrypt/live/gitlab.example.com/fullchain.pem (failure)
  /etc/letsencrypt/live/office.example.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
3 renew failure(s), 0 parse failure(s)


$ certbot certificates

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
Found the following certs:
  Certificate Name: youtrack.example.com
    Domains: youtrack.example.com
    Expiry Date: 2018-07-27 12:36:32+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/youtrack.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/youtrack.example.com/privkey.pem
  Certificate Name: gitlab.example.com
    Domains: gitlab.example.com
    Expiry Date: 2018-07-25 08:20:31+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/gitlab.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gitlab.example.com/privkey.pem
  Certificate Name: office.example.com
    Domains: office.example.com
    Expiry Date: 2018-08-01 11:50:33+00:00 (VALID: 1 day)
    Certificate Path: /etc/letsencrypt/live/office.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/office.example.com/privkey.pem

 $ openssl version
OpenSSL 1.1.0h  27 Mar 2018

 $ certbot --version
certbot 0.26.1

$ curl -X GET -I -m 10 https://acme-v02.api.letsencrypt.org/directory

HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 31 Jul 2018 11:20:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 31 Jul 2018 11:20:32 GMT
Connection: keep-alive

Ссылка

←	Как удалить правило iptables по ip ?

Mirotik failover, wan port in bridge

→

https://community.letsencrypt.org/t/ssl-certificate-verify-failed-with-lets-e...

hizel ★★★★★
(31.07.18 20:39:20 MSK)

Ссылка

Попробуй сделать python3 -c 'import requests; print(requests.get("https://acme-v02.api.letsencrypt.org/directory").ok)'

deadNightTiger ★★★★★
(31.07.18 21:01:36 MSK)

Ответ на: комментарий от deadNightTiger 31.07.18 21:01:36 MSK

Сорри за долгое отсутствие

выхлоп

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 252, in connect
    ssl_version=resolved_ssl_version)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 305, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.5/ssl.py", line 377, in wrap_socket
    _context=self)
  File "/usr/lib/python3.5/ssl.py", line 752, in __init__
    self.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 589, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3/dist-packages/requests/api.py", line 67, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/api.py", line 53, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 447, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

я так понимаю проблема в пайтоне? у меня уже такая трабла с пипом была именно на этом серве для vim plugin

sanekmihailow
(03.08.18 14:03:25 MSK) автор топика

Ответ на: Сорри за долгое отсутствие от sanekmihailow 03.08.18 14:03:25 MSK

решение

короче, походу дело было в корневых сертификатах, вот пост с моим решением проблемы, https://community.letsencrypt.org/t/certbot-renewal-ssl-certificate-verify-failed/68115 мож кому пригодится

sanekmihailow
(06.08.18 13:50:40 MSK) автор топика

Ссылка

Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.

←	Как удалить правило iptables по ip ?

Admin

Mirotik failover, wan port in bridge

→

Сорри за долгое отсутствие

решение

Похожие темы