Error DECRYPTION_FAILED_OR_BAD_RECORD_MAC on PKI commit

pclerie · September 23, 2025, 11:12pm

Hello,

I am attempting to get a certificate from a Step-CA server. I am getting an error when I try to commit the configuration.

First I imported the CA’s root certificate to /usr/local/share/ca-certificates, and ran update-ca-certificates to update the global certificate store.

I also imported it into the Vyos PKI mainly because I am not sure whether that’s separate from the OS default. So the configuration looks like:

[edit]
ladmin@jupiter# show pki
 ca Example_CA_Root {
     certificate MIICAzCCAamgAwIB...
     description "Example Certificate Authority"
 }
+certificate jupiter {
+    acme {
+        domain-name jupiter.example.ht
+        email pclerie@example.ht
+        listen-address 172.28.0.2
+        url https://alnitak.example.ht/acme/ACME/directory
+    }
+}

certbot does not use the OS certificate store so it needs to know where to get that internal CA certificate. It requires the environment variable REQUESTS_CA_BUNDLE, which I put in /etc/environment to insure it is always present.

REQUESTS_CA_BUNDLE='example_ca_root.pem'

I restarted Vyos and confirmed that this parameter was present in the environment.

When I try to commit the config, I get an DECRYPTION_FAILED_OR_BAD_RECORD_MAC error:

ladmin@jupiter# sudo certbot certonly --config-dir /config/auth/letsencrypt/ --cert-name jupiter.example.ht --standalone --agree-tos --no-eff-email --expand --server https://alnitak.example.ht/acme/ACME/directory --email pclerie@example.ht --http-01-address 172.28.0.2 --domain jupiter.example.ht --verbose
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for jupiter.example.ht
Performing the following challenges:
http-01 challenge for jupiter.example.ht
Cleaning up challenges
An unexpected error occurred:

requests.exceptions.SSLError: HTTPSConnectionPool(host='alnitak.example.ht', port=443): Max retries exceeded with url: /acme/ACME/challenge/EOg9aMSxFJIAuCVeR8fKaFwK0K9lOLwy/7lOTP3DQlInLbc5Gcs2UDIbRuAVs7Ais (Caused by SSLError(SSLError(1, '[SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:2546)')))

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Checking with Google, it seems that this may be an indication that certbot is not finding the CA root.

I am stumped. Help would be greatly appreciated!

Thanks

c-po · September 24, 2025, 1:26pm

If I read this correctly, you try to use ACME to automatically providion certificates.

To reach the ACME server you use an untrusted certificate which is not known to cerbot?

If this is correct, this szenario is currently not supported.

pclerie · September 24, 2025, 2:04pm

The Step-CA does use a self-signed root certificate. That is its entire purpose.

I suppose I could have used generate pki ca to create a certificate authority and a self-signed root certificate on the router itself, but there was no need to have a second CA.

I certainly don’t see any practical difference between a Vyos PKI CA and a Step based CA.

I think the issue is really with certbot or more likely, it’s a configuration error that I can’t find. I probably missed something, and I’m hoping it will be obvious to someone.

Thanks
Philippe

c-po · September 24, 2025, 6:58pm

Sounds like a feature request.

system · October 24, 2025, 6:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.