Help me please! error with certificates

i have some problems while installing.

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 720, in urlopen
    retries = retries.increment(
  File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))

During handling of the above exception, another exception occurred:

requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])")))
Please see the logfiles in /var/log/letsencrypt for more details.

Sounds like your system cannot make outgoing connections so the Let’s Encrypt certificate generation fails.

have some ideas? can i use wildcard certificate?

Yes you can. Installing and configuring it is outside the scope of Indico though - it’s the kind of knowledge people should usually have

Anyway, looking at your error again, it seems like your system was not able to connect to acme-v02.api.letsencrypt.org because it could not verify its certificate. What OS/Distribution are you using? Could it be so old that it does not trust Let’s Encrypt? :o

ubuntu 20.04.6 lts

should be fine. try using curl -v https://acme-v02.api.letsencrypt.org and see if you get any TLS errors there

however, I’d recommend using Ubuntu 22.04.3 LTS - 2020 is 4 years old now…

Get this error
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

trying to update to 22.04 lts

Try openssl s_client -connect acme-v02.api.letsencrypt.org:443 in case you have some firewall/proxy blocking it in your network… with that command you can see the certs you get (e.g. what’s the CN of the cert)

in Kazakhstan installed firewall sts.kz. but i installed ca certificate

it get something

issuer=C = KZ, ST = Astana, L = Astana, O = State Technical Service, OU = HQ, CN = USIAG Intermediate November, emailAddress = support@sts.kz

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 3349 bytes and written 400 bytes
Verification error: unable to get local issuer certificate

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 408EA3FA4ADD1FD54CE4AF33DCE1C24A6500D5DC28C2F37D865907B4B11B2CD9
Session-ID-ctx:
Resumption PSK: 191D686E2820D6230A764E5C0BE46C7D925CDC56B74D4BB67EA45E5A873574ED66A0020AC6B8A3E95B0D33096638EF91
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 9b 94 5a 63 63 6a a2 c5-57 90 09 b9 33 a5 04 7c …Zccj…W…3…|
0010 - 96 be 06 08 df a1 e6 7f-d6 73 ec a1 6e 1d 33 6a …s…n.3j
0020 - 97 5c 31 a3 ad 4b 4d a8-72 76 f1 ae 78 9c 19 e4 .\1…KM.rv…x…
0030 - 5f 9b b9 1c 80 36 64 a0-32 4c 6b e7 65 0a 3a a9 …6d.2Lk.e.:.
0040 - eb 16 80 63 7e 2d 9b 8c-8e 89 f4 ca 87 2a bb 47 …c~-….G
0050 - 0d b6 9f 46 75 30 5b b1-f6 2a a5 7e fb 25 c7 6c …Fu0[….~.%.l
0060 - f9 6f 78 49 1c cf 5b c1-fd 29 f6 28 05 26 93 1d .oxI…[…).(.&…
0070 - 95 04 9a 79 91 f8 6e 24-07 44 f8 dd c5 f8 cf 2d …y…n$.D…-
0080 - 2c 8a 7a 13 bf 5f 8d c5-0e 0a 28 5d 0b 1b ,.z……(]…

Start Time: 1705150856
Timeout   : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0

read R BLOCK

Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 18D24FD174CA2E6D04EF2FA1AB70EFFA65BBB7394249FD27D441F0E697253B01
Session-ID-ctx:
Resumption PSK: 5114072A3CFCED601E8F5EAAF569117281E7FD1874D47D3701143E80F7A159B5074C98564B8AD21C583175ED6A6409FB
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 6c 41 30 ea b6 ed eb a5-e9 89 c7 da 75 18 f5 ac lA0…u…
0010 - 15 0b 62 2d 27 63 d5 50-b2 0f 3d 5d bc 19 4f 99 …b-'c.P…=]…O.
0020 - c2 1c e2 ec 9f 87 f7 de-dc f0 e6 46 84 4d 34 ba …F.M4.
0030 - 4d 3e e6 e7 ee cc bc 1e-50 33 3f f6 4b dd 55 8a M>…P3?.K.U.
0040 - f8 48 f0 5d 14 eb 6f 37-e2 9d 1d ca 9d 58 1b 62 .H.]…o7…X.b
0050 - ee 85 10 56 e6 c1 3f c0-67 fe 83 5a 63 33 cb 6c …V…?.g…Zc3.l
0060 - 8a 9f 82 5f 55 b0 48 5d-8f 1f 23 05 2c e2 c4 51 …_U.H]…#.,…Q
0070 - f1 f7 9d 0f 78 f7 15 15-b3 ab 4b 38 81 cd 6d 29 …x…K8…m)
0080 - da f3 ae 46 59 16 68 b5-8b 2f 63 bd 81 3a …FY.h…/c…:

Start Time: 1705150856
Timeout   : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no
Max Early Data: 0

read R BLOCK
closed

How to get indico root passwprd?

conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) connection to server on socket “/var/run/postgresql/.s.PGSQL.5432” failed: FATAL: database “indico:indico@*” does not exist

Whats the problem?

conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
sqlalchemy.exc.OperationalError: (psycopg2.OperationalError) connection to server at “localhost” (127.0.0.1), port 5433 failed: Connection refused

new problem(

So your nice government snoops on everything. Man-In-The-Middle on TLS connections. No idea how to make certbot accept this crappy certificate. A quick google search was not useful. If you still need help with the TLS issue, I suggest asking on https://community.letsencrypt.org/ (ideally mention that you’re in Kazakhstan and that there’s state-level MITM on all TLS connections).

What are you trying to do? By default the connection to the database is through a UNIX socket, which is authenticated implicitly, so no password is needed. The connection thing for this is postgresql:///indico.

If you have a non-standard configuration (e.g. database on some other host), then you can provide username, hostname and password like this: postgresql://USER:PASS@HOSTNAME/DBNAME

(indico) indico@21499:~$ indico db prepare
Your database is not empty!
If you just added a new table/model, create an alembic revision instead!

Tables in your database:

• attachments.folders
• attachments.folder_principals
• attachments.attachments
• attachments.legacy_folder_id_map
• attachments.attachment_principals
• attachments.files
• attachments.legacy_attachment_id_map
• categories.categories
• categories.settings
• categories.legacy_id_map
• categories.roles
• categories.logs
• categories.event_move_requests
• categories.principals
• categories.role_members
• event_abstracts.email_templates
• event_abstracts.abstract_review_questions
• event_abstracts.abstracts
• event_abstracts.abstract_reviews
• event_abstracts.email_logs
• event_abstracts.abstract_person_links
• event_abstracts.files
• event_abstracts.reviewed_for_tracks
• event_abstracts.submitted_for_tracks
• event_abstracts.abstract_field_values
• event_abstracts.abstract_comments
• event_abstracts.proposed_for_tracks
• event_abstracts.abstract_review_ratings
• event_editing.file_types
• event_editing.review_conditions
• event_editing.tags
• event_editing.review_condition_file_types
• event_editing.revisions
• event_editing.revision_tags
• event_editing.comments
• event_editing.revision_files
• event_editing.editables
• event_paper_reviewing.templates
• event_paper_reviewing.review_questions
• event_paper_reviewing.competences
• event_paper_reviewing.revisions
• event_paper_reviewing.judges
• event_paper_reviewing.content_reviewers
• event_paper_reviewing.layout_reviewers
• event_paper_reviewing.reviews
• event_paper_reviewing.files
• event_paper_reviewing.review_comments
• event_paper_reviewing.review_ratings
• event_registration.forms
• event_registration.tags
• event_registration.legacy_registration_map
• event_registration.registrations
• event_registration.registration_tags
• event_registration.form_items
• event_registration.invitations
• event_registration.form_field_data
• event_registration.registration_data
• event_surveys.surveys
• event_surveys.submissions
• event_surveys.items
• event_surveys.anonymous_submissions
• event_surveys.answers
• events.events
• events.settings
• events.legacy_id_map
• events.image_files
• events.menu_entries
• events.pages
• events.contribution_fields
• events.event_references
• events.track_groups
• events.static_list_links
• events.roles
• events.session_types
• events.contribution_types
• events.legacy_page_id_map
• events.settings_principals
• events.logs
• events.persons
• events.static_sites
• events.vc_rooms
• events.principals
• events.role_members
• events.requests
• events.reminders
• events.agreements
• events.legacy_image_id_map
• events.event_person_links
• events.sessions
• events.breaks
• events.session_principals
• events.session_blocks
• events.tracks
• events.legacy_session_id_map
• events.track_principals
• events.session_block_person_links
• events.legacy_session_block_id_map
• events.contributions
• events.timetable_entries
• events.contribution_field_values
• events.subcontributions
• events.vc_room_events
• events.contribution_person_links
• events.contribution_principals
• events.legacy_contribution_id_map
• events.contribution_references
• events.notes
• events.subcontribution_person_links
• events.legacy_subcontribution_id_map
• events.subcontribution_references
• events.note_revisions
• events.payment_transactions
• events.series
• events.labels
• indico.settings
• indico.news
• indico.affiliations
• indico.designer_templates
• indico.ip_network_groups
• indico.ip_networks
• indico.reference_types
• indico.settings_principals
• indico.files
• indico.designer_image_files
• oauth.applications
• oauth.application_user_links
• oauth.tokens
• roombooking.map_areas
• roombooking.equipment_types
• roombooking.equipment_features
• roombooking.features
• roombooking.blockings
• roombooking.locations
• roombooking.rooms
• roombooking.photos
• roombooking.room_nonbookable_periods
• roombooking.blocked_rooms
• roombooking.blocking_principals
• roombooking.room_equipment
• roombooking.favorite_rooms
• roombooking.room_principals
• roombooking.room_attributes
• roombooking.room_attribute_values
• roombooking.room_bookable_hours
• roombooking.reservation_links
• roombooking.reservations
• roombooking.reservation_edit_logs
• roombooking.reservation_occurrences
• users.registration_requests
• users.users
• users.groups
• users.settings
• users.emails
• users.favorite_users
• users.favorite_categories
• users.favorite_events
• users.tokens
• users.identities
• users.suggested_categories
• users.group_members
• users.api_keys

ag agin some error

Why are you running indico db prepare again? According to the error you already created the tables (by running indico db prepare)…

If you want a clean start, delete the database and recreate it - after that you can run indico db prepare once again:

su - postgres -c 'dropdb indico'
su - postgres -c 'createdb -O indico indico'
su - postgres -c 'psql indico -c "CREATE EXTENSION unaccent; CREATE EXTENSION pg_trgm;"'

This deletes all data from the Indico instance.

Hello again! Thanks for help yesterday. but today i have another problem with sending email. verification mail did not come when i sign up a new user) have an idea?

• is the indico-celery service running?
• check indico.log for errors related to sending the email
• what are you using to send emails (hopefully not gmail! ;)) - if it’s a local mail server, check its logs as well