Hi,
Bit of an edge case here. I’m running my own internal smallstep CA, issuing certificates to machines on my local network.
Previously the Let’s Encrypt add-on worked fine, I am using the “Additional CA” package to install my CA certs into HA. My CA and intermediate certs are also in the /usr/share/ca-certificates. It was happily renewing certs, however after the update to 6.0.0 I’m getting the following error:
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ssl/cert.pem
(This appears to be a link to certs/ca-certificates.crt which seems to exist)
Any help appreciated
Logs:
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[08:52:37] INFO: Selected HTTP verification
[08:52:37] INFO: Updating the trust store by adding the provided custom root certificate
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt, it does not contain exactly one certificate or CRL
151 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
[08:52:40] INFO: Detecting existing certificate type for homeassistant.mpkc.local
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[08:52:41] INFO: Existing certificate using 'ecdsa' key type.
Root logging level set at 0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator standalone and installer None
Single candidate plugin: * standalone
Description: Runs an HTTP server locally which serves the necessary validation files under the /.well-known/acme-challenge/ request path. Suitable if there is no HTTP server already running. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: EntryPoint(name='standalone', value='certbot._internal.plugins.standalone:Authenticator', group='certbot.plugins')
Initialized: <certbot._internal.plugins.standalone.Authenticator object at 0x7f58112f30e0>
Prep: True
Selected authenticator <certbot._internal.plugins.standalone.Authenticator object at 0x7f58112f30e0> and installer None
Plugins selected: Authenticator standalone, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://ca.mpkc.local/acme/acme/account/aQIKFiASzjCTUNm8niTuEENVWGVXlwx9', new_authzr_uri=None, terms_of_service=None), facf4e2aec3dafc81f8870190446f25a, Meta(creation_dt=datetime.datetime(2025, 9, 5, 17, 16, 32, tzinfo=datetime.timezone.utc), creation_host='core-letsencrypt.local.hass.io', register_to_eff=None))>
Sending GET request to https://ca.mpkc.local/acme/acme/directory.
Exiting abnormally:
Traceback (most recent call last):
File "/usr/local/bin/certbot", line 8, in <module>
sys.exit(main())
~~~~^^
File "/usr/local/lib/python3.13/dist-packages/certbot/main.py", line 19, in main
return internal_main.main(cli_args)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^
File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/main.py", line 1871, in main
return config.func(config, plugins)
~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/main.py", line 1559, in certonly
le_client = _init_le_client(config, auth, installer)
File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/main.py", line 836, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/client.py", line 292, in __init__
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File "/usr/local/lib/python3.13/dist-packages/certbot/_internal/client.py", line 73, in acme_from_config_key
directory = acme_client.ClientV2.get_directory(config.server, net)
File "/usr/local/lib/python3.13/dist-packages/acme/client.py", line 341, in get_directory
return messages.Directory.from_json(net.get(url).json())
~~~~~~~^^^^^
File "/usr/local/lib/python3.13/dist-packages/acme/client.py", line 716, in get
self._send_request('GET', url, **kwargs), content_type=content_type)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/dist-packages/acme/client.py", line 658, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File "/usr/local/lib/python3.13/dist-packages/requests/sessions.py", line 589, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.13/dist-packages/requests/sessions.py", line 703, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python3.13/dist-packages/requests/adapters.py", line 616, in send
self.cert_verify(conn, request.url, verify, cert)
~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/dist-packages/requests/adapters.py", line 303, in cert_verify
raise OSError(
...<2 lines>...
)
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ssl/cert.pem
An unexpected error occurred:
OSError: Could not find a suitable TLS CA certificate bundle, invalid path: /etc/ssl/cert.pem
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped