letsencrypt renewal failure "sslv3 alert bad record mac"

Gary Aitken freebsd at dreamchaser.org
Wed Mar 11 21:13:54 UTC 2020 

Previous renewals worked ok, but may have been under 10.3

11.2-RELEASE-p9 FreeBSD 11.2-RELEASE-p9

I know I need to upgrade to 11.3 but this seems not related to that.
Any help / pointers would be much appreciated.


certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /usr/local/etc/letsencrypt/renewal/dreamchaser.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for discoveriesinwood.com
http-01 challenge for dreamchaser.org
http-01 challenge for git.dreamchaser.org
http-01 challenge for www.discoveriesinwood.com
http-01 challenge for www.dreamchaser.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (dreamchaser.org) from /usr/local/etc/letsencrypt/renewal/dreamchaser.org.conf produced an unexpected error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert bad record mac')]. Skipping.
All renewal attempts failed. The following certs could not be renewed:
   /usr/local/etc/letsencrypt/live/dreamchaser.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewal attempts failed. The following certs could not be renewed:
   /usr/local/etc/letsencrypt/live/dreamchaser.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

The debug log shows the following exception:

2020-03-11 14:48:04,062:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
   File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
     self._respond(aauthzrs, resp, best_effort)
   File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 165, in _respond
     self._send_responses(aauthzrs, resp, chall_update)
   File "/usr/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 198, in _send_responses
     self.acme.answer_challenge(achall.challb, resp)
   File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 158, in answer_challenge
     response = self._post(challb.uri, response)
   File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 95, in _post
     return self.net.post(*args, **kwargs)
   File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1185, in post
     return self._post_once(*args, **kwargs)
   File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1201, in _post_once
     response = self._send_request('POST', url, data=data, **kwargs)
   File "/usr/local/lib/python2.7/site-packages/acme/client.py", line 1101, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
   File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 533, in request
     resp = self.send(prep, **send_kwargs)
   File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 646, in send
     r = adapter.send(request, **kwargs)
   File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 449, in send
     timeout=timeout
   File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 601, in urlopen
     chunked=chunked)
   File "/usr/local/lib/python2.7/site-packages/urllib3/connectionpool.py", line 380, in _make_request
     httplib_response = conn.getresponse(buffering=True)
   File "/usr/local/lib/python2.7/httplib.py", line 1121, in getresponse
     response.begin()
   File "/usr/local/lib/python2.7/httplib.py", line 438, in begin
     version, status, reason = self._read_status()
   File "/usr/local/lib/python2.7/httplib.py", line 394, in _read_status
     line = self.fp.readline(_MAXLINE + 1)
   File "/usr/local/lib/python2.7/socket.py", line 480, in readline
     data = self._sock.recv(self._rbufsize)
   File "/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 274, in recv
     return self.recv(*args, **kwargs)
   File "/usr/local/lib/python2.7/site-packages/urllib3/contrib/pyopenssl.py", line 258, in recv
     data = self.connection.recv(*args, **kwargs)
   File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1783, in recv
     self._raise_ssl_error(self._ssl, result)
   File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 1639, in _raise_ssl_error
     _raise_current_error()
   File "/usr/local/lib/python2.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
     raise exception_type(errors)

More information about the freebsd-questions mailing list