Question

Let's Encrypt renewal failing - CERTIFICATE_VERIFY_FAILED

Posted December 3, 2021 265 views
ApacheLet's EncryptUbuntu 16.04DigitalOcean Droplets

Hello, I’ve just started receiving this message from Lets Encrypt on my droplet when it tries to renew the certificate for my website. This is the full error -

Attempting to renew cert (innoviatech.com) from /etc/letsencrypt/renewal/innoviatech.com.conf produced an unexpected error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/innoviatech.com/fullchain.pem (failure)

Not sure what is causing this. The DNS of the domain name still points to the droplet and there’s been no changes to the Apache config. The certificate expires in 9 days so hoping to resolve before then!…

Thanks in advance,

Phil.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
Submit an Answer
1 answer

Hi there,

What I could suggest is trying to upgrade your certbot installation to the latest version:

sudo apt update
sudo apt install --only-upgrade certbot

Let me know if this helps!

There seems to have been a similar discussion on the Let’s Encrypt community here:

https://community.letsencrypt.org/t/ssl-certificate-verify-failed-certificate-verify-failed-ssl-c-645/162152

Best,
Bobby

  • Thank you - I’ll try this and let you know how I get on.

    Cheers,

    Phil

  • Hi Bobby, I ran the commands to update Certbot but if I try to then run sudo certbot renew --dry-run it returns the message -

    Another instance of Certbot is already running.
    

    Not sure why this might be?.. I’ve tried exiting and starting a new shell but same message.

    Cheers

    • Hi there,

      I recently had a similar problem and I fixed it by following the steps here:

      https://community.letsencrypt.org/t/solved-another-instance-of-certbot-is-already-running/44690/2

      Basically, first kill the current process:

      ps aux | grep -i certbot
      

      Find the process ID and kill the process:

      killprocess_id_here
      

      If this does not work, you might have to delete the certbot lock file as described in the post above.

      To find any certbot lock files run:

      find / -type f -name ".certbot.lock"
      

      In case that there are any, you can either delete them manually, or use this command here to delete them all in one go:

      find / -type f -name ".certbot.lock" -exec rm {} \;
      

      Let me know how it goes.

      Best,
      Bobby