SSL ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

Question

So I have an old Ubuntu 16.04 server and I've recently installed let'sencrypt SSL. Before I used to use an SSL from Sectigo RSA and it worked perfectly but after I updated it to let's encrypt it's showing this error:

SSLError at /layers/geonode:test
("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
Request Method: GET
Request URL:    https://x.com/layers/geonode:test
Django Version: 1.8.7
Exception Type: SSLError
Exception Value:    
("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)
Exception Location: /usr/local/lib/python2.7/dist-packages/requests/adapters.py in send, line 497
Python Executable:  /usr/bin/uwsgi-core
Python Version: 2.7.12
Python Path:    
['.',
 '',
 '/usr/lib/python2.7',
 '/usr/lib/python2.7/plat-x86_64-linux-gnu',
 '/usr/lib/python2.7/lib-tk',
 '/usr/lib/python2.7/lib-old',
 '/usr/lib/python2.7/lib-dynload',
 '/root/.local/lib/python2.7/site-packages',
 '/usr/local/lib/python2.7/dist-packages',
 '/usr/lib/python2.7/dist-packages',
 '/var/www/x/x']
Server time:    Fri, 4 Aug 2023 19:30:56 +0600

I've tried updating the root ca-certificates with sudo apt install ca-certificates but it says:

ca-certificates is already the newest version (20210119~16.04.1).
0 upgraded, 0 newly installed, 0 to remove and 392 not upgraded.

And here's how my nginx configuration looks like:

server {
    server_name x.com;
    return 301 $scheme://x.com$request_uri;

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/x.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/x.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {
    if ($host = x.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


       listen         80;
       server_name    x.com;
       return         301 https://$server_name$request_uri;


}

server {
    listen 443 ssl;
    server_name x.com;


#    include snippets/x-signed.conf;
#    include snippets/ssl-params.conf;
    ssl_certificate /etc/letsencrypt/live/x.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/x.com/privkey.pem; # managed by Certbot
    

    charset     utf-8;
    access_log /var/log/nginx/x.access.log;
    error_log /var/log/nginx/x.error.log info;


    # sit2605
    client_max_body_size 1600M;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        # With php5-cgi alone:
        # fastcgi_pass 127.0.0.1:9000;
        # With php5-fpm 
        fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME /var/www$fastcgi_script_name;
        include fastcgi_params;
        # Increasing timeout
        fastcgi_read_timeout 600;
    }

    location / {
        root /var/www/uploads;
        try_files $uri @wsgiapp;

    }
 

    location @wsgiapp {
        uwsgi_read_timeout 10800;
        uwsgi_pass  unix:///var/lib/uwsgisock/x.sock;
        include     /etc/nginx/uwsgi_params;

    }


    location /geoserver/ {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://x.x.x.x:8080/geoserver/;
    }

}


server {
    if ($host = x.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name x.com;
    listen 80;
    return 404; # managed by Certbot
}

Any idea on how to fix it?

score 1 · Accepted Answer · answered Aug 07 '23 at 06:14

Your probably using old CA certificates which were expired, from openssl blog:

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

It links to another blog post, on lets-encrypt that explains this problem and how to handle it. Here's what they recommend (emphasis are mine):

What should you do? For most people, nothing at all! We’ve set up our certificate issuance so your web site will do the right thing in most cases, favoring broad compatibility. If you provide an API or have to support IoT devices, you’ll need to make sure of two things: (1) all clients of your API must trust ISRG Root X1 (not just DST Root CA X3), and (2) if clients of your API are using OpenSSL, they must use version 1.1.0 or later. In OpenSSL 1.0.x, a quirk in certificate verification means that even clients that trust ISRG Root X1 will fail when presented with the Android-compatible certificate chain we are recommending by default.

You should check your openssl version, which is probably outdated on Ubuntu 16 and upgrade it, check this SO answer for how to do it.

SSL ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

1 Answers1