LetsEncrypt - SSL certificate is not valid

[clusterix]

Distributor Ubuntu 18.04.6 LTS Release: 18.04

since this morning I have found 5 domain names with following error message (LetsEncrypt certs)

Code:

SSL certificate is not valid: C = US, O = Internet Security Research Group, CN = ISRG Root X1 error 2 at 2 depth lookup: unable to get issuer certificate

I then deleted these Letsencrypt certificates, but the error occurs again when I request a new certificate. These certificates were listed as successfully renewed in the letsencrypt log file ...
something seems to be wrong with the root CA or Apache. There have been some updates recently regarding openssl as well.


The problem only seems to occur with Ubuntu. With Debian 9 & 10 I cannot detect these errors.


Does anyone have an idea how to solve this problem?

[LHammonds]

Did you add a proxy since the last time the certificate was validated?

[clusterix]

no proxy, I have just activated HTTP/2 but it also happen when I disable HTTP/2 incl apache restart.
with Ubuntu the DST_Root_CA_X3 is disabled on Debian 9 it's still available
[code]

Code:

/etc/ca-certificates.conf
!mozilla/DST_Root_CA_X3.crt

[clusterix]

it happens also when I create a new certificate
is there anything I can do to solve the problem?

[clusterix]

it seems the user apache domain_ssl.conf is not created after a create or renew request ...

[clusterix]

certbot renew --dry-run works without any error output
maybe something wrong with the Intermediate Certificates?
https://scotthelme.co.uk/lets-encryp...ot-expiration/

[clusterix]

some more details

Code:

# openssl s_client -connect co2avatar.org:443 -servername co2avatar.org -showcerts
issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4595 bytes and written 396 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 407F1D7B08AED29BE618126CF34381CC3247B5A889A22FC71389AE8DCD7763E4
    Session-ID-ctx:  
    Resumption PSK: 93350F9B4946873A683373870A0BAEDBC380E1CCA51FDB8298379C1E8BEC315800F6B1B621D604351CED2EBE29A5B7C1
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 5f 52 15 c7 eb 77 bf d2-fd 39 7a 90 ee 39 46 65   _R...w...9z..9Fe
    0010 - 15 36 a0 68 05 97 1b 64-ad 3f 6f ef dd d5 cf 80   .6.h...d.?o.....

    Start Time: 1632763996
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 81211663644805CE07998F7D255386F3F6431E35D4D4ACCF83B48A4D5BABE571
    Session-ID-ctx:  
    Resumption PSK: A7424C58C4746163739FCA829D7D50F1362A859BDD823BF7AD99D3603D1F2EE4CB19190165577A0794A8216E8A8E99C2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 95 21 52 17 c3 3f 8a eb-23 1c ce e2 cc 71 f3 12   .!R..?..#....q..
    0010 - 64 f3 fe 85 d6 90 c2 f0-25 95 0e d1 d5 05 d9 c9   d.......%.......

    Start Time: 1632763996
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0

[clusterix]

strange ... it only fails with Ubuntu 18.04.6 LTS
I use the same configuration with Debian 9 & 10 and there it works ...
that could be a worst case as i use many wordpress with letsencryt

[LHammonds]

I have upgraded all my servers to 20.04 long ago. I'm not experiencing that issue so I'm not sure what can be done to bandaid the issue if it really is an issue with certbot becoming out-of-date on Ubuntu 18.04.

I'll check what version of certbot I have installed on 20.04...

Code:

apt search certbot-apache
python3-certbot-apache/focal,focal,now 0.39.0-1 all [installed]

What version do you have installed?

[clusterix]

it shows
python-certbot-apache/bionic,bionic,bionic,bionic 0.23.0-1 all
transitional dummy package

python-certbot-apache-doc/bionic,bionic,bionic,bionic 0.23.0-1 all
Apache plugin documentation for Certbot

python3-certbot-apache/bionic,bionic,bionic,bionic 0.23.0-1 all
Apache plugin for Certbot