OpenSSL error when running ssl_certificates.py

Hi,

I am getting an error when running management/ssl_certificates.py, either manually or via the daily cronjob. This has caused my SSL certs to expire whilst I was on holiday, and now I can’t access the web admin interface.

I’ve read and followed the fixes for all the other letsencrypt issues I’ve seen on discourse and the github issues tracker (involving removing the apt-installed python3-openssl, and making sure that there is only one pip3-installed version of pyOpenSSL), and am still getting the same error. The specific message is something to do with openssl, but I’ve not found anything useful by searching for that string.

root@example:/home/ubuntu/mailinabox# management/ssl_certificates.py -v
> Reading account key from /home/user-data/ssl/lets_encrypt/account.pem.
> Validating existing account saved to /home/user-data/ssl/lets_encrypt/registration.json.
> Reusing existing challenges for example.com.
> The challenges for example.com have been accepted.
  [-- The previous two lines repeat for each of my domains --]
> Generating a new certificate signing request.
> Requesting a certificate.
Traceback (most recent call last):
  File "management/ssl_certificates.py", line 809, in <module>
    provision_certificates_cmdline()
  [-- snip stack trace --]
  File "/usr/local/lib/python3.4/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_D2I_EX_PRIMITIVE', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('rsa routines', 'OLD_RSA_PRIV_DECODE', 'RSA lib')]
Exception ignored in: <bound method ClientNetwork.__del__ of <acme.client.ClientNetwork object at 0x7fa19a74edd8>>
Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/acme/client.py", line 518, in __del__
  File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 689, in close
  File "/usr/lib/python3.4/_collections_abc.py", line 512, in __iter__
  File "/usr/lib/python3.4/collections/__init__.py", line 91, in __iter__
ReferenceError: weakly-referenced object no longer exists

I tried updating my install from latest master and that didn’t change the error messages either. Has anyone else seen a similar error?

Looking at the mail from the daily_tasks.sh failures, I also think I’ll be running into the letsencrypt rate limit at some point, as it seems to be requesting the certificate daily for the past week or so.

More info:

root@example:/home/ubuntu/mailinabox# pip3 freeze | egrep "cryptography|pyOpenSSL|free-tls"
cryptography==1.8.1
free-tls-certificates==0.1.6
pyOpenSSL==16.2.0

Cheers,

Dave

I tried running against the Let’s Encrypt staging server as described in TLS Certificate Auto-Renewal but got the same openssl error.

I build a new mailserver and rsynced /home/user-data across to it, then re-ran setup.

This initially failed due to owncloud install issues, so I commented that out and re-ran startup.

This also failed at the LetsEncrypt stage with the same error:

OpenSSL.SSL.Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_D2I_EX_PRIMITIVE', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('rsa routines', 'OLD_RSA_PRIV_DECODE', 'RSA lib')]

I tried running management/ssl_certificates.py for some individual domains, and got the same error.

Then I removed the /home/user-data/ssl/ directory completely and re-ran setup. This failed with a different error.

In desperation I ran management/ssl_certificates.py for my mailserver domain and that worked. At which point I was able to use the web admin interface again. Then I used the web UI to generate the missing SSL certs.

At this point, it all seems to be working again. I’m not sure what step made things work this time - I’d removed /home/user-data/ssl/ on my original mailserver and that didn’t get things working.