Automatic Let's Encrypt ssl renewal work?

[aslik4rahan]

last version 1.0.0-5 use.

Cron admin@server1 sudo /usr/local/vesta/bin/v-update-letsencrypt-ssl

domain.com Error: Let's Encrypt nonce request status fail_counter = 2

how can i solve this problem? 8 days left before ssl expiry

[rix-lv]

I have the same issue.

[anton-reutov]

What OS on your server ?

[rix-lv]

It is rather old one, Ubuntu 12.04.

[anton-reutov]

try this apt-get install ca-certificates

[rix-lv]

Done, then reboot but not helped. Error: Let's Encrypt nonce request status

[anton-reutov]

send me letsencrypt.log

[rix-lv]

[Mon Dec 20 16:03:47 EET 2021] : v-add-letsencrypt-domain il.lv.ua [www. il.lv.ua] [Mon Dec 20 16:03:47 EET 2021] : v-add-letsencrypt-user id**i [Mon Dec 20 16:03:47 EET 2021] : result: 0 [Mon Dec 20 16:03:47 EET 2021] : --- Requesting nonce / STEP 1 --- [Mon Dec 20 16:03:47 EET 2021] : curl -s -I "https://acme-v02.api.letsencrypt.org/directory" [Mon Dec 20 16:03:48 EET 2021] : answer= [Mon Dec 20 16:03:48 EET 2021] : nonce= [Mon Dec 20 16:03:48 EET 2021] : status= [Mon Dec 20 16:03:48 EET 2021] : EXIT=Let's Encrypt nonce request status

[Mon Dec 20 16:14:04 EET 2021] : -add-letsencrypt-domain il.lv.ua [www. il.lv.ua] [Mon Dec 20 16:14:04 EET 2021] : v-add-letsencrypt-user id**i [Mon Dec 20 16:14:04 EET 2021] : result: 0 [Mon Dec 20 16:14:04 EET 2021] : --- Requesting nonce / STEP 1 --- [Mon Dec 20 16:14:04 EET 2021] : curl -s -I "https://acme-v02.api.letsencrypt.org/directory" [Mon Dec 20 16:14:04 EET 2021] : answer= [Mon Dec 20 16:14:04 EET 2021] : nonce= [Mon Dec 20 16:14:04 EET 2021] : status= [Mon Dec 20 16:14:04 EET 2021] : EXIT=Let's Encrypt nonce request status

[Mon Dec 20 16:14:57 EET 2021] : -add-letsencrypt-domain il.lv.ua [www. il.lv.ua] [Mon Dec 20 16:14:57 EET 2021] : v-add-letsencrypt-user id**i [Mon Dec 20 16:14:57 EET 2021] : result: 0 [Mon Dec 20 16:14:57 EET 2021] : --- Requesting nonce / STEP 1 --- [Mon Dec 20 16:14:57 EET 2021] : curl -s -I "https://acme-v02.api.letsencrypt.org/directory" [Mon Dec 20 16:14:57 EET 2021] : answer= [Mon Dec 20 16:14:57 EET 2021] : nonce= [Mon Dec 20 16:14:57 EET 2021] : status= [Mon Dec 20 16:14:57 EET 2021] : EXIT=Let's Encrypt nonce request status

[anton-reutov]

curl -I "https://acme-v02.api.letsencrypt.org/directory" send me result of this command

[rix-lv]

curl -I "https://acme-v02.api.letsencrypt.org/directory" curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

[anton-reutov]

It looks like you need to update your root CA certificates

apt-get update
sudo apt-get install ca-certificates -y
sudo update-ca-certificates

[rix-lv]

Done but with a lot of errors:

Ign http://archive.ubuntu.com precise Release.gpg Ign http://archive.ubuntu.com precise-updates Release.gpg Ign http://security.ubuntu.com precise-security Release.gpg Ign http://archive.ubuntu.com precise Release Ign http://security.ubuntu.com precise-security Release Ign http://archive.ubuntu.com precise-updates Release Ign http://security.ubuntu.com precise-security/main i386 Packages/DiffIndex Ign http://archive.ubuntu.com precise/main i386 Packages/DiffIndex Ign http://archive.ubuntu.com precise/universe i386 Packages/DiffIndex Ign http://archive.ubuntu.com precise/main TranslationIndex Ign http://archive.ubuntu.com precise/universe TranslationIndex Ign http://security.ubuntu.com precise-security/main TranslationIndex Ign http://archive.ubuntu.com precise-updates/main i386 Packages/DiffIndex Ign http://archive.ubuntu.com precise-updates/universe i386 Packages/DiffIndex Ign http://archive.ubuntu.com precise-updates/main TranslationIndex Ign http://archive.ubuntu.com precise-updates/universe TranslationIndex Err http://security.ubuntu.com precise-security/main i386 Packages 404 Not Found [IP: 91.189.88.142 80] Ign http://security.ubuntu.com precise-security/main Translation-en Err http://archive.ubuntu.com precise/main i386 Packages 404 Not Found [IP: 91.189.88.142 80] Err http://archive.ubuntu.com precise/universe i386 Packages 404 Not Found [IP: 91.189.88.142 80] Ign http://archive.ubuntu.com precise/main Translation-en Ign http://archive.ubuntu.com precise/universe Translation-en Err http://archive.ubuntu.com precise-updates/main i386 Packages 404 Not Found [IP: 91.189.88.142 80] Err http://archive.ubuntu.com precise-updates/universe i386 Packages 404 Not Found [IP: 91.189.88.142 80] Ign http://archive.ubuntu.com precise-updates/main Translation-en Ign http://archive.ubuntu.com precise-updates/universe Translation-en Hit http://apt.vestacp.com precise Release.gpg Hit http://apt.vestacp.com precise Release Hit http://apt.vestacp.com precise/vesta i386 Packages Ign http://apt.vestacp.com precise/vesta TranslationIndex Ign http://apt.vestacp.com precise/vesta Translation-en W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/precise-security/main/binary-i386/Packages 404 Not Found [IP: 91.189.88.142 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/main/binary-i386/Packages 404 Not Found [IP: 91.189.88.142 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/universe/binary-i386/Packages 404 Not Found [IP: 91.189.88.142 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise-updates/main/binary-i386/Packages 404 Not Found [IP: 91.189.88.142 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise-updates/universe/binary-i386/Packages 404 Not Found [IP: 91.189.88.142 80]

E: Some index files failed to download. They have been ignored, or old ones used instead.

sudo apt-get install ca-certificates -y Reading package lists... Done Building dependency tree Reading state information... Done ca-certificates is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded.

sudo update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done.

[anton-reutov]

run this and try again

sudo apt-get clean
sudo apt-get autoclean
sudo apt-get update
sudo apt-get upgrade

sudo apt-get install ca-certificates -y
sudo update-ca-certificates

[rix-lv]

Done but still no result:

root@idl:~# sudo apt-get clean root@idl:~# sudo apt autoclean sudo: apt: command not found root@idl:~# sudo apt-get autoclean Reading package lists... Done Building dependency tree Reading state information... Done root@idl:~# sudo apt-get update Ign http://security.ubuntu.com precise-security Release.gpg Ign http://archive.ubuntu.com precise Release.gpg Ign http://archive.ubuntu.com precise-updates Release.gpg Ign http://security.ubuntu.com precise-security Release Ign http://archive.ubuntu.com precise Release Ign http://security.ubuntu.com precise-security/main i386 Packages/DiffIndex Ign http://archive.ubuntu.com precise-updates Release Ign http://security.ubuntu.com precise-security/main TranslationIndex Ign http://archive.ubuntu.com precise/main i386 Packages/DiffIndex Ign http://archive.ubuntu.com precise/universe i386 Packages/DiffIndex Ign http://archive.ubuntu.com precise/main TranslationIndex Ign http://archive.ubuntu.com precise/universe TranslationIndex Ign http://archive.ubuntu.com precise-updates/main i386 Packages/DiffIndex Ign http://archive.ubuntu.com precise-updates/universe i386 Packages/DiffIndex Ign http://archive.ubuntu.com precise-updates/main TranslationIndex Ign http://archive.ubuntu.com precise-updates/universe TranslationIndex Err http://archive.ubuntu.com precise/main i386 Packages 404 Not Found [IP: 91.189.88.152 80] Err http://archive.ubuntu.com precise/universe i386 Packages 404 Not Found [IP: 91.189.88.152 80] Ign http://archive.ubuntu.com precise/main Translation-en_US Ign http://archive.ubuntu.com precise/main Translation-en Ign http://archive.ubuntu.com precise/universe Translation-en_US Ign http://archive.ubuntu.com precise/universe Translation-en Err http://archive.ubuntu.com precise-updates/main i386 Packages 404 Not Found [IP: 91.189.88.152 80] Err http://archive.ubuntu.com precise-updates/universe i386 Packages 404 Not Found [IP: 91.189.88.152 80] Ign http://archive.ubuntu.com precise-updates/main Translation-en_US Ign http://archive.ubuntu.com precise-updates/main Translation-en Ign http://archive.ubuntu.com precise-updates/universe Translation-en_US Ign http://archive.ubuntu.com precise-updates/universe Translation-en Err http://security.ubuntu.com precise-security/main i386 Packages 404 Not Found [IP: 91.189.88.152 80] Ign http://security.ubuntu.com precise-security/main Translation-en_US Ign http://security.ubuntu.com precise-security/main Translation-en Hit http://apt.vestacp.com precise Release.gpg Hit http://apt.vestacp.com precise Release Hit http://apt.vestacp.com precise/vesta i386 Packages Ign http://apt.vestacp.com precise/vesta TranslationIndex Ign http://apt.vestacp.com precise/vesta Translation-en_US Ign http://apt.vestacp.com precise/vesta Translation-en W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/precise-security/main/binary-i386/Packages 404 Not Found [IP: 91.189.88.152 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/main/binary-i386/Packages 404 Not Found [IP: 91.189.88.152 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise/universe/binary-i386/Packages 404 Not Found [IP: 91.189.88.152 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise-updates/main/binary-i386/Packages 404 Not Found [IP: 91.189.88.152 80]

W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/precise-updates/universe/binary-i386/Packages 404 Not Found [IP: 91.189.88.152 80]

E: Some index files failed to download. They have been ignored, or old ones used instead. root@idl:~# sudo apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done The following packages have been kept back: linux-image-virtual ubuntu-minimal 0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded. root@idl:~# sudo apt-get install ca-certificates -y Reading package lists... Done Building dependency tree Reading state information... Done ca-certificates is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 2 not upgraded. root@idl:~# sudo apt-get update-ca-certificates E: Invalid operation update-ca-certificates root@idl:~# sudo apt-get update ca-certificates E: The update command takes no arguments root@idl:~# sudo update ca-certificates sudo: update: command not found root@idl:~# sudo update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. root@id***l:~# reboot

After that still get the same error: Error: Let's Encrypt nonce request status

[rix-lv]

Any ideas how to solve the problem?

[aslik4rahan]

Any ideas how to solve the problem?

I couldn't solve the problem either, For now i have forwarded dns to cloudflare for ssl

[mix5003]

Ubuntu 12.04 end of life now. so apt command may not work. i think root cause of this problem is old lets encrypt certificate now expired. so i think you should manually add new cert to your OS

try this command as root

mkdir /usr/local/share/ca-certificates/letsencrypt
chmod 0755 /usr/local/share/ca-certificates/letsencrypt
cd /usr/local/share/ca-certificates/letsencrypt

# if wget not work you can manually download and use text edit to add same content to file 'isrgrootx1.crt'
wget -O isrgrootx1.crt "https://letsencrypt.org/certs/isrgrootx1.pem" 
chmod 0644 isrgrootx1.crt

update-ca-certificates

[benyaminl]

I got error pending even after challange fired

root@foo:/# curl -I "https://acme-v02.api.letsencrypt.org/directory"
HTTP/2 200
server: nginx
date: Wed, 22 Dec 2021 17:17:48 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
replay-nonce: 0001zR7h-VyrsHasfkDS7zSuEplc4VJfsiSLbwAuHGxM7y0
x-frame-options: DENY
strict-transport-security: max-age=604800

But the problem is It keep try to challange v3, but pending. See the log :

[Thu Dec 23 00:15:35 WIB 2021] : v-add-letsencrypt-domain sutindoproject.com [www.sutindoproject.com]
[Thu Dec 23 00:15:35 WIB 2021] : v-add-letsencrypt-user sutindo
[Thu Dec 23 00:15:35 WIB 2021] : result: 0
[Thu Dec 23 00:15:35 WIB 2021] : --- Requesting nonce / STEP 1 ---
[Thu Dec 23 00:15:35 WIB 2021] : curl -s -I "https://acme-v02.api.letsencrypt.org/directory"
[Thu Dec 23 00:15:36 WIB 2021] : answer=HTTP/2 200 ^M
server: nginx^M
date: Wed, 22 Dec 2021 17:15:36 GMT^M
content-type: application/json^M
content-length: 658^M
cache-control: public, max-age=0, no-cache^M
replay-nonce: 0101OhtwXCzHluerT-KmId9_fNLvijTupA-XTTB_D-A_h8o^M
x-frame-options: DENY^M
strict-transport-security: max-age=604800^M
^M
[Thu Dec 23 00:15:36 WIB 2021] : nonce=0101OhtwXCzHluerT-KmId9_fNLvijTupA-XTTB_D-A_h8o
[Thu Dec 23 00:15:36 WIB 2021] : status=200
[Thu Dec 23 00:15:36 WIB 2021] : --- Placing new order / STEP 2 ---
[Thu Dec 23 00:15:36 WIB 2021] : payload={"identifiers":[{"type":"dns","value":"sutindoproject.com"},{"type":"dns","value":"www.sutindoproject.com"}]}
[Thu Dec 23 00:15:36 WIB 2021] : query_le_v2 "https://acme-v02.api.letsencrypt.org/acme/new-order" "{"identifiers":[{"type":"dns","value":"sutindoproject.com"},{"type":"dns","value":"www.sutindoproject.com"}]}" "0101OhtwXCzHluerT-KmId9_fNLvijTupA-XTTB_D-A_h8o"
[Thu Dec 23 00:15:37 WIB 2021] : answer=HTTP/2 201 ^M
server: nginx^M
date: Wed, 22 Dec 2021 17:15:36 GMT^M
content-type: application/json^M
content-length: 485^M
boulder-requester: 102219429^M
cache-control: public, max-age=0, no-cache^M
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"^M
location: https://acme-v02.api.letsencrypt.org/acme/order/102219429/49329879470^M
replay-nonce: 0001-Pdqz3NGl9CUnijmOU3YBjjSGC-C5fyE7KpHMiFspMM^M
x-frame-options: DENY^M
strict-transport-security: max-age=604800^M
^M
{
  "status": "pending",
  "expires": "2021-12-29T00:15:04Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "sutindoproject.com"
    },
    {
      "type": "dns",
      "value": "www.sutindoproject.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/60775621030",
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/60776840740"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/102219429/49329879470"
}
[Thu Dec 23 00:15:37 WIB 2021] : nonce=0001-Pdqz3NGl9CUnijmOU3YBjjSGC-C5fyE7KpHMiFspMM
[Thu Dec 23 00:15:37 WIB 2021] : authz=https://acme-v02.api.letsencrypt.org/acme/authz-v3/60775621030
https://acme-v02.api.letsencrypt.org/acme/authz-v3/60776840740
[Thu Dec 23 00:15:37 WIB 2021] : finalize=https://acme-v02.api.letsencrypt.org/acme/finalize/102219429/49329879470
[Thu Dec 23 00:15:37 WIB 2021] : status=201
[Thu Dec 23 00:15:37 WIB 2021] : --- Requesting authorization token / STEP 3 ---
[Thu Dec 23 00:15:37 WIB 2021] : for auth=https://acme-v02.api.letsencrypt.org/acme/authz-v3/60775621030
[Thu Dec 23 00:15:37 WIB 2021] : query_le_v2 "https://acme-v02.api.letsencrypt.org/acme/authz-v3/60775621030" "" "0001-Pdqz3NGl9CUnijmOU3YBjjSGC-C5fyE7KpHMiFspMM"
[Thu Dec 23 00:15:37 WIB 2021] : answer=HTTP/2 200 ^M
server: nginx^M
date: Wed, 22 Dec 2021 17:15:37 GMT^M
content-type: application/json^M
content-length: 799^M
boulder-requester: 102219429^M
cache-control: public, max-age=0, no-cache^M
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"^M
replay-nonce: 0002hLkEHm8Kgl8mdQvt3oZNtHdkVMaHL31flxwF-tHN0C0^M
x-frame-options: DENY^M
strict-transport-security: max-age=604800^M
^M
{
  "identifier": {
    "type": "dns",
    "value": "sutindoproject.com"
  },
  "status": "pending",
  "expires": "2021-12-29T00:15:04Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/60775621030/lgkchg",
      "token": "Urk4v9QcogPe1I_00ojkFkzb5Sb0jWOjtKGburlrsJc"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/60775621030/uQ3XyQ",
      "token": "Urk4v9QcogPe1I_00ojkFkzb5Sb0jWOjtKGburlrsJc"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/60775621030/vc5BoA",
      "token": "Urk4v9QcogPe1I_00ojkFkzb5Sb0jWOjtKGburlrsJc"
    }
  ]
}
[Thu Dec 23 00:15:37 WIB 2021] : url=https://acme-v02.api.letsencrypt.org/acme/chall-v3/60775621030/lgkchg
Urk4v9QcogPe1I_00ojkFkzb5Sb0jWOjtKGburlrsJc
[Thu Dec 23 00:15:37 WIB 2021] : token=Urk4v9QcogPe1I_00ojkFkzb5Sb0jWOjtKGburlrsJc
[Thu Dec 23 00:15:37 WIB 2021] : nonce=0002hLkEHm8Kgl8mdQvt3oZNtHdkVMaHL31flxwF-tHN0C0
[Thu Dec 23 00:15:37 WIB 2021] : status=200
[Thu Dec 23 00:15:37 WIB 2021] : --- Configuring challenge / STEP 4 ---
[Thu Dec 23 00:15:37 WIB 2021] : wildcard=
[Thu Dec 23 00:15:37 WIB 2021] : in /home/sutindo/web/sutindoproject.com/public_html/.well-known/acme-challenge/Urk4v9QcogPe1I_00ojkFkzb5Sb0jWOjtKGburlrsJc we put: Urk4v9QcogPe1I_00ojkFkzb5Sb0jWOjtKGburlrsJc.gAVnVhIT83yMuI2eEkpJYAU5OVPZYsqVEobCa1lC_gA
[Thu Dec 23 00:15:37 WIB 2021] : --- Requesting ACME validation / STEP 5 ---
[Thu Dec 23 00:15:37 WIB 2021] : validation_check=
[Thu Dec 23 00:15:37 WIB 2021] : - Doing pol check on status
[Thu Dec 23 00:15:37 WIB 2021] : query_le_v2 "https://acme-v02.api.letsencrypt.org/acme/chall-v3/60775621030/lgkchg
Urk4v9QcogPe1I_00ojkFkzb5Sb0jWOjtKGburlrsJc" "{}" "0002hLkEHm8Kgl8mdQvt3oZNtHdkVMaHL31flxwF-tHN0C0"
[Thu Dec 23 00:15:37 WIB 2021] : answer=
[Thu Dec 23 00:15:37 WIB 2021] : validation=
[Thu Dec 23 00:15:37 WIB 2021] : nonce=
[Thu Dec 23 00:15:37 WIB 2021] : status=
[Thu Dec 23 00:15:37 WIB 2021] : EXIT=Let's Encrypt validation status

I hope this log help @anton-reutov

[aslik4rahan]

For years, I have been using automatic ssl with the old version of vesta without any problems, unfortunately there was a problem after the update.

hopefully it will be considered as a problem and fixed in the next update

[benyaminl]

For years, I have been using automatic ssl with the old version of vesta without any problems, unfortunately there was a problem after the update.

There're change from v1 to v2.. please wait okay... Also Ubuntu 12.04 not supported anymore... it's also already past the EOL for 4 years, you should migrate to Ubuntu 18.04... or 20.04...

[mix5003]

For years, I have been using automatic ssl with the old version of vesta without any problems, unfortunately there was a problem after the update.

hopefully it will be considered as a problem and fixed in the next update

old let's encrypt root cert expired at sep 2021, so if you lucky enough to renewal in sep 2021. the problem will shown in sep + 3 month = about dec 2021. i think this not vestacp fault. more info about lets encrypt root cert expire https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

[aslik4rahan]

For years, I have been using automatic ssl with the old version of vesta without any problems, unfortunately there was a problem after the update.

There're change from v1 to v2.. please wait okay... Also Ubuntu 12.04 not supported anymore... it's also already past the EOL for 4 years, you should migrate to Ubuntu 18.04... or 20.04...

my server, Ubuntu 14.04 (X86_64), doesn't it support? also as far as i know vesta doesn't work on ubuntu 20.

[mix5003]

my server, Ubuntu 14.04 (X86_64), doesn't it support? also as far as i know vesta doesn't work on ubuntu 20.

from wiki. 14.04 is now End of life too. so that ubuntu version may not work too. (due root certificate issue and you can not update trust store from apt command)

i not sure is vestacp support ubuntu 20 or not. but it seem ubuntu 18.04 work fine and i can use let's encrypt normally

[benyaminl]

my server, Ubuntu 14.04 (X86_64), doesn't it support? also as far as i know vesta doesn't work on ubuntu 20.

from wiki. 14.04 is now End of life too. so that ubuntu version may not work too. (due root certificate issue and you can not update trust store from apt command)

i not sure is vestacp support ubuntu 20 or not. but it seem ubuntu 18.04 work fine and i can use let's encrypt normally

Ubuntu 20.04 is on the way. As I remember 1.0 is the step stone for it.

[rix-lv]

Ubuntu 12.04 end of life now. so apt command may not work. i think root cause of this problem is old lets encrypt certificate now expired. so i think you should manually add new cert to your OS

try this command as root

mkdir /usr/local/share/ca-certificates/letsencrypt
chmod 0755 /usr/local/share/ca-certificates/letsencrypt
cd /usr/local/share/ca-certificates/letsencrypt

# if wget not work you can manually download and use text edit to add same content to file 'isrgrootx1.crt'
wget -O isrgrootx1.crt "https://letsencrypt.org/certs/isrgrootx1.pem" 
chmod 0644 isrgrootx1.crt

update-ca-certificates

This is the solution for an old Ubuntu. Great thanks!!!