From owner-freebsd-questions@freebsd.org Wed Mar 11 21:13:54 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3EFB026AD8D for ; Wed, 11 Mar 2020 21:13:54 +0000 (UTC) (envelope-from freebsd@dreamchaser.org) Received: from nightmare.dreamchaser.org (ns.dreamchaser.org [66.109.141.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "dreamchaser.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48d4Sw3vWgz4YtM for ; Wed, 11 Mar 2020 21:13:52 +0000 (UTC) (envelope-from freebsd@dreamchaser.org) Received: from breakaway.dreamchaser.org (breakaway [192.168.151.122]) by nightmare.dreamchaser.org (8.15.2/8.15.2) with ESMTP id 02BLDirX056638 for ; Wed, 11 Mar 2020 15:13:44 -0600 (MDT) (envelope-from freebsd@dreamchaser.org) To: FreeBSD Mailing List Reply-To: freebsd@dreamchaser.org From: Gary Aitken Subject: letsencrypt renewal failure "sslv3 alert bad record mac" Message-ID: <7e6cb54d-a38a-0772-01fb-01ebd4834c91@dreamchaser.org> Date: Wed, 11 Mar 2020 14:11:59 -0600 User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:68.0) Gecko/20100101 Thunderbird/68.4.2 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.6.2 (nightmare.dreamchaser.org [192.168.151.101]); Wed, 11 Mar 2020 15:13:44 -0600 (MDT) X-Rspamd-Queue-Id: 48d4Sw3vWgz4YtM X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd@dreamchaser.org designates 66.109.141.57 as permitted sender) smtp.mailfrom=freebsd@dreamchaser.org X-Spamd-Result: default: False [-5.48 / 15.00]; ARC_NA(0.00)[]; HAS_REPLYTO(0.00)[freebsd@dreamchaser.org]; NEURAL_HAM_MEDIUM(-0.99)[-0.995,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[dreamchaser.org]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_TLS_LAST(0.00)[]; TO_DN_ALL(0.00)[]; REPLYTO_ADDR_EQ_FROM(0.00)[]; IP_SCORE(-3.18)[ip: (-8.35), ipnet: 66.109.128.0/19(-4.17), asn: 21947(-3.34), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:21947, ipnet:66.109.128.0/19, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2020 21:13:54 -0000 Previous renewals worked ok, but may have been under 10.3 11.2-RELEASE-p9 FreeBSD 11.2-RELEASE-p9 I know I need to upgrade to 11.3 but this seems not related to that. Any help / pointers would be much appreciated. certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /usr/local/etc/letsencrypt/renewal/dreamchaser.org.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator standalone, Installer None Renewing an existing certificate Performing the following challenges: http-01 challenge for discoveriesinwood.com http-01 challenge for dreamchaser.org http-01 challenge for git.dreamchaser.org http-01 challenge for www.discoveriesinwood.com http-01 challenge for www.dreamchaser.org Waiting for verification... Cleaning up challenges Attempting to renew cert (dreamchaser.org) from /usr/local/etc/letsencrypt/renewal/dreamchaser.org.conf produced an unexpected error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert bad record mac')]. Skipping. All renewal attempts failed. The following certs could not be renewed: /usr/local/etc/letsencrypt/live/dreamchaser.org/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All renewal attempts failed. The following certs could not be renewed: /usr/local/etc/letsencrypt/live/dreamchaser.org/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s) The debug log shows the following exception: 2020-03-11 14:48:04,062:DEBUG:certbot.error_handler:Encountered exception: Traceback (most recent call last): File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations self._respond(aauthzrs, resp, best_effort) File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 165, in _respond self._send_responses(aauthzrs, resp, chall_update) File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 198, in _send_responses self.acme.answer_challenge(achall.challb, resp) File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 158, in answer_challenge response = self._post(challb.uri, response) File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 95, in _post return self.net.post(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1185, in post return self._post_once(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1201, in _post_once response = self._send_request('POST', url, data=data, **kwargs) File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1101, in _send_request response = self.session.request(method, url, *args, **kwargs) File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 533, in request resp = self.send(prep, **send_kwargs) File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 646, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 449, in send timeout=timeout File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 601, in urlopen chunked=chunked) File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 380, in _make_request httplib_response = conn.getresponse(buffering=True) File "/usr/local/lib/python2.7/httplib.py", line 1121, in getresponse response.begin() File "/usr/local/lib/python2.7/httplib.py", line 438, in begin version, status, reason = self._read_status() File "/usr/local/lib/python2.7/httplib.py", line 394, in _read_status line = self.fp.readline(_MAXLINE + 1) File "/usr/local/lib/python2.7/socket.py", line 480, in readline data = self._sock.recv(self._rbufsize) File "/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 274, in recv return self.recv(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 258, in recv data = self.connection.recv(*args, **kwargs) File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1783, in recv self._raise_ssl_error(self._ssl, result) File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1639, in _raise_ssl_error _raise_current_error() File "/usr/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue raise exception_type(errors)