search

onixsib / esxi-letsencrypt

Scripts to automate renewal Let's encrypt ssl certificate on vmware esxi host
3 stars 3 forks source link

certificate verify failed on esxi 6.5 #1

Open vitalybondarenko opened 2 years ago

vitalybondarenko commented 2 years ago

When running certificate generation, I get an error like: [root@esxi:/etc/vmware/ssl] /usr/bin/python /opt/acme-tiny/acme_tiny.py --account-key /etc/vmware/ssl/account.key --csr /etc/vmware/ssl/letsencrypt.csr --acme-dir /usr/lib/vmware/hostd/docroot/.well-known/acme-challenge > /etc/vmware/ssl/letsencrypt.crt Parsing account key... Parsing CSR... Found domains: esxi-... Getting directory... Traceback (most recent call last): File "/opt/acme-tiny/acme_tiny.py", line 198, in main(sys.argv[1:]) File "/opt/acme-tiny/acme_tiny.py", line 194, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port) File "/opt/acme-tiny/acme_tiny.py", line 105, in getcrt directory, , _ = _do_request(directory_url, err_msg="Error getting directory") File "/opt/acme-tiny/acme_tiny.py", line 46, in _do_request raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data)) ValueError: Error getting directory: Url: https://acme-v02.api.letsencrypt.org/directory Data: None Response Code: None Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:728)>

Same error with disabled firewall.

onixsib commented 2 years ago

Are directory /usr/lib/vmware/hostd/docroot/.well-known/acme-challenge exist in you system? Do you create it?

vitalybondarenko commented 2 years ago

Yes, that directory exists.

Looks like a problem with openssl 1.0.1az and the new certification chain used by letsencrypt.

wget https://acme-v02.api.letsencrypt.org/directory gives an error, while the same command with --no-check-certificate works as expected.

vitalybondarenko commented 2 years ago

I managed to workaround this particular issue by disabling certificates check in acme_tiny.py. But another blocker is that esxi host should be transparently published to internet, to allow all letsencript verifications to pass. If it is not published, configuring proxies complicates the process a lot...