The Let’s encrypt app is failing to renew it’s certificate. I have run ‘update-ca-certificates’ and restarted apache2 but it still fails like this in the /var/log/univention/letsencrypt.log:
Thu Sep 30 13:34:37 MDT 2021
Refreshing certificate for following domains:
[groups.skaggscatholiccenter.org](http://groups.skaggscatholiccenter.org/)
Parsing account key...
Parsing CSR...
Found domains: [groups.skaggscatholiccenter.org](http://groups.skaggscatholiccenter.org/)
Getting directory...
Traceback (most recent call last):
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
main(sys.argv[1:])
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=[args.ca](http://args.ca/), disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt
directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
Setting letsencrypt/status
Now they did say they were ending a certificate on September 29th and this is affecting lots of people. It seems UCS has removed the certbot utility and I debug any further. Before you try to curl my server I only allow 80/443 from the lets encrypt server list and it’s been this way for several years without issue.
One comment from a user on the let’s encrypt community was able to solve it with:
sudo certbot renew --force-renewal --preferred-chain "ISRG Root X1"
But we don’t have this option on univention and I cannot see that there is a preferred chain option for the acme_tiny.py script in /usr/share/univention-letsencrypt