• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

How to run certbot on Ubuntu 14.04

December 7, 2021 by Mister PKI 1 Comment

With the expiration of the Let’s Encrypt root certificate, IdentTrust DST Root CA X3, on September 30, 2021, Ubuntu 14.04 certbot renewals broke. The latest supported version of certbot on Ubuntu 14.04 is 0.22, far behind the latest version. According to https://wiki.ubuntu.com/Releases, Ubuntu 14.04 ran out of standard support in April of 2019. While end of life is not until April 2024, it is recommended to upgrade as soon as possible due to unsupported software packages, potential security holes, and the cause of this issue, an outdate certificate truststore.

certbot breakage

What caused certbot automated renewals to break after the IdentTrust DST Root CA X3 expiration? certbot could no longer form a valid chain to the Let’s encrypt root at https://acme-v02.api.letsencrypt.org/ when making the API call for renewal. The error returned was the following:

("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

Older Ubuntu versions such as 14.04 do not have the newest Let’s Encrypt root. It’s common name is ISRG Root X1 and must be trusted by the OS for certificate renewals to work with certbot. To trust the ISRG Root X1 on older versions of Ubuntu, perform the following actions:

  1. Download the ISRG Root X1 certificate from the Let’s Encrypt website.
  2. Copy the downloaded root to /usr/local/share/ca-certificates on the server. Make sure the certificate is in PEM format with the .crt extension, else the following command will not pick it up.
  3. Run update-ca-certificates to reload the truststore and pick up the new root certificate.
  4. Run certbot renew to kick off the renewal on Ubuntu 14.04.

Having added the new Let’s Encrypt root certificate to the trusted certs on Ubuntu 14.04, you will have a working certbot on Ubuntu 14.04. Note that this only recommended to be a temporary fix until you are able to upgrade to the latest version of Ubuntu.

certbot renewal –dry-run error

After fixing the certificate verification error by trusting the new Let’s Encrypt root, you may encounter the following error if testing the certbot renewal with --dry-run:

Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

This error message occurs because the --dry-run feature is broken with certbot 0.22 and earlier. Yet another reason to prioritize upgrading Ubuntu to the latest version.

Remove expired Let’s Encrypt root from Ubuntu 14.04

A best practice would be to remove the expired DST Root CA X3 root certificate from the OS truststore at /usr/local/share/ca-certificates. This is an optional step as the OS and certbot client should be able to construct the path to the newly installed Let’s Encrypt root, but we recommend doing it anyways. After deleting the .crt file from the ca-certificates directory, again run update-ca-certificates to reload the truststore without the expired root.

Conclusion

To fix the certbot renewal of Let’s Encrypt certificates on older versions of Ubuntu such as 14.04, you simply need to trust the new Let’s Encrypt certificate in the OS trust store, located at /usr/local/share/ca-certificates.

SSL Certificates

Reader Interactions

Comments

  1. Brad says

    December 27, 2021 at 10:35 pm

    Thanks for explaining this plainly and clearly. This fix works on Ubuntu 16.04 as well.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • netsh http add sslcert
  • netsh http show sslcert
  • netsh http delete sslcert
  • How to Install an SSL Certificate on Tomcat
  • openssl s_client commands and examples

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022