Could it be a date/time issue with your system try resynching your date/time info maybe I did not read the log and maybe you’ve already tried this but this will cause cert problems be sure everything with date/time is correct with the system. Just try it set time zone and synch time on the server for kicks and see if that works. It is always something I try with cert issues.
1 Like
What errors do you get?
The curl request earlier should have given us a clue if time was the problem.
1 Like
Always good to check that. I had already confirmed that.
I found something interesting. On this system, in /etc/letsencrypt/renewal, the conf files don’t show anything under [[webroot_map]]. Others working on other systems show the server aliases.
Perhaps these missing maps are causing LetsEncrypt to be lost?
Eureka! Fixed.
Letsencrypt is pretty convoluted. Certs are IMHO spread around. I suppose to be cross platform maybe they needed to do it this way?
Meanwhile, searching and searching on Letsencrypt forums, I kept finding conflicting information. The hostname requiring a legit cert was said all over the place. In fact it does not as Joe has said. The info before Joe’s comment led me down a lot of wrong paths.
I finally stumbled onto this Curl command which gave me the answer.
curl -I https://acme-v02.api.letsencrypt.org
This returned:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Comparing this server with others, I found that on Rocky Linux, in /etc/pki/tls/certs/ there should be this symbolic link:
ca-bundle.crt → /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
I had missed this during earlier work as my interface doesn’t show links using ls but instead only with ls -l.
I copied a tls-ca-bundle.pem from a different system, even though I don’t think I needed to. I recreated the link and boom!!! It all started working.
More than likely I broke this years ago when installing the Sectigo cert.
I do wish the logging for Letsencrypt was less cryptic. I was just about to build a new system and move everyone there. I’ve never had to do that due to a malfunction.
Thanks so much for everyone’s input on this issue. I hope that my findings may help someone else.
2 Likes
This was a very tricky problem.
Thank you very much. (Especially with the whole workaround, it will help a lot of Member.)
Good find indeed 
1 Like
This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.