Certbot failing with: ssl.SSLError: [X509] no certificate or crl found (_ssl.c:3732)

Question

This is a copy of a recent Let's Encrypt community forum thread which helped me mitigate the issue. I am adding this here since it could potentially affect more users.

---

I have a server with currently three websites using Let's Encrypt. These certs get renewed without issues. Now I would like to generate a cert for the fourth new website. This is what I am getting:

certbot --apache certonly -w /path/to/docroot/ -d subdomain.example.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 313, in ssl_wrap_socket
    context.load_verify_locations(ca_certs, ca_cert_dir)
ssl.SSLError: [X509] no certificate or crl found (_ssl.c:3732)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 326, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 315, in ssl_wrap_socket
    raise SSLError(e)
urllib3.exceptions.SSLError: [X509] no certificate or crl found (_ssl.c:3732)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(185090184, '[X509] no certificate or crl found (_ssl.c:3732)'),))

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError(185090184, '[X509] no certificate or crl found (_ssl.c:3732)'),))
Please see the logfiles in /var/log/letsencrypt for more details.

This is on an Ubuntu 18.04. I am not sure what is going on.

Answer 1

To mitigate you basically have to un-install the "ca-certificates" as well as "certbot" and do a fresh re-install for them.

Situation:

certbot --apache certonly -w /path/to/docroot/ -d subdomain.example.com

--> fails :(

Testing:

curl -I https://www.gnu.org/

--> fails :(

Solution step one:

sudo apt remove ca-certificates

sudo apt install ca-certificates

Testing:

curl -I https://www.gnu.org/

--> works :)

Solution step two (Apache users):

sudo apt install certbot python3-certbot-apache

Solution step two (Nginx users):

sudo apt install certbot python3-certbot-nginx

Result:

certbot --apache certonly -w /path/to/docroot/ -d subdomain.example.com

--> works :)

Thanks for this temendous help goes to the Let's Encrypt community! They are awesome!