Einen Überblick über das Administrationstool KeyHelp der Keyweb AG und dessen Download gibt es auf https://www.keyhelp.de

Dieses Forum soll es interessierten Benutzern ermöglichen, sich über KeyHelp auszutauschen und Hilfe bei Problemen zu finden.

SSL/TLS certificate problems on server...  [SOLVED]

You found a bug? Please tell us about.
Antworten
Benutzeravatar
gusarg81
Beiträge: 19
Registriert: So 18. Jul 2021, 02:20
Wohnort: Argentina
Kontaktdaten:

SSL/TLS certificate problems on server...

Beitrag von gusarg81 »

Hi,

Since this week I am receiving this emails, with subject "SSL/TLS certificate problems on server server.gdnet.ar" (which server.gdnet.ar is the domain of my server), with this meesage:
Hello gdnet!

During the routine check of the SSL/TLS certificates, the following problems occurred:

------------------------------------
Certificate name: chat.gdnet.ar (Let's Encrypt)

Curl: Resolving timed out after 15000 milliseconds (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:10:25 (14 day(s) left)


Certificate name: kanban.gdnet.ar (Let's Encrypt)

Curl: Could not resolve host: acme-v02.api.letsencrypt.org (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:08:24 (14 day(s) left)


Certificate name: netdata.gdnet.ar (Let's Encrypt)

Curl: Could not resolve host: acme-v02.api.letsencrypt.org (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:12:38 (14 day(s) left)


Certificate name: projects.gdnet.ar (Let's Encrypt)

Curl: Resolving timed out after 15000 milliseconds (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:16:13 (14 day(s) left)
------------------------------------

Best regards,
Your support team


---
This message was generated automatically.
Please do not reply to this email.
Now, all those domains do respond locally (and of course outside the server). What could be causing this problem suddenly? Some kind of "automatic" blocking of letsencrypt domains/services?

Like I said, this is new. Never received these messages.

Thanks in advance.
nikko
Beiträge: 902
Registriert: Fr 15. Apr 2016, 16:11

Re: SSL/TLS certificate problems on server...

Beitrag von nikko »

On the "14 days left" I see - so I think- this is the first message. Maybe a temporary problem of LE.
But if the message come nightly again and again... You have modified the OS or the system? Your provider use new firewall rules?
You can add a subdomain with a new certificate?
The software said: Requires Win Vista®, 7®, 8® or better. And so I installed Linux.
Benutzeravatar
gusarg81
Beiträge: 19
Registriert: So 18. Jul 2021, 02:20
Wohnort: Argentina
Kontaktdaten:

Re: SSL/TLS certificate problems on server...

Beitrag von gusarg81 »

nikko hat geschrieben: Do 7. Okt 2021, 23:00 On the "14 days left" I see - so I think- this is the first message. Maybe a temporary problem of LE.
But if the message come nightly again and again... You have modified the OS or the system? Your provider use new firewall rules?
You can add a subdomain with a new certificate?
Hi,

I didn't modified anything in my server at all. And no, is no the first. This is the 5º day by now with the same message.

No firewall rules changed, no DNS changed. Like I said, all those domains does response locally (testes with host and nslookup)

is there a way test it? Maybe disabling Let's Encrypt and enabling it again for those domains? I have others domains with Let's Encrypt which are not included in the message list, which is even more weird.
nikko
Beiträge: 902
Registriert: Fr 15. Apr 2016, 16:11

Re: SSL/TLS certificate problems on server...

Beitrag von nikko »

gusarg81 hat geschrieben: Do 7. Okt 2021, 23:50
nikko hat geschrieben: Do 7. Okt 2021, 23:00 You can add a subdomain with a new certificate?
Maybe disabling Let's Encrypt and enabling it again for those domains?
Sure, two ways to findout more. Pls have a look into -> Admin -> System Status -> Logs (ssl-maintenance.log) for futher information.

Which OS is runnig? Virtual machine, which virtualization?
The software said: Requires Win Vista®, 7®, 8® or better. And so I installed Linux.
Benutzeravatar
Alexander
Keyweb AG
Beiträge: 2137
Registriert: Mi 20. Jan 2016, 02:23

Re: SSL/TLS certificate problems on server...

Beitrag von Alexander »

Can you ping the domain "acme-v02.api.letsencrypt.org" from your server?

You can also try to manually trigger the renew of certificates. To do so, enter the command: "keyhelp-toolbox" in the CLI and navigate to "6)" -> "8)".
Maybe your server has some kind of capacity issues, when performing this renew during the default time frame.
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
Benutzeravatar
gusarg81
Beiträge: 19
Registriert: So 18. Jul 2021, 02:20
Wohnort: Argentina
Kontaktdaten:

Re: SSL/TLS certificate problems on server...

Beitrag von gusarg81 »

nikko hat geschrieben: Fr 8. Okt 2021, 06:06
gusarg81 hat geschrieben: Do 7. Okt 2021, 23:50
nikko hat geschrieben: Do 7. Okt 2021, 23:00 You can add a subdomain with a new certificate?
Maybe disabling Let's Encrypt and enabling it again for those domains?
Sure, two ways to findout more. Pls have a look into -> Admin -> System Status -> Logs (ssl-maintenance.log) for futher information.

Which OS is runnig? Virtual machine, which virtualization?
OS: Ubuntu 20.04 (fresh installed when migrated to KeyHelp). Native installation (no VM).
Attached log.
Dateianhänge
ssl-maintenance.log
(8.66 KiB) 6-mal heruntergeladen
Benutzeravatar
gusarg81
Beiträge: 19
Registriert: So 18. Jul 2021, 02:20
Wohnort: Argentina
Kontaktdaten:

Re: SSL/TLS certificate problems on server...

Beitrag von gusarg81 »

This could be a problem? For example, one of the domain that is failing (chat.gdnet.ar): I have a custom settings for apache in all those domains that are failing, like this one:
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:3001%{REQUEST_URI} [P]

ProxyPassMatch "^/(sockjs\/.*\/websocket)$" "ws://127.0.0.1:3001/$1"
ProxyPass "/" "http://127.0.0.1:3001/"
ProxyPassReverse "/" "http://127.0.0.1:3001/"
This could be the problem?

The weid thing is that is not new, I've applied this settings the first day I've migrated to KeyHelp months ago.
Benutzeravatar
Tobi
Community Moderator
Beiträge: 1741
Registriert: Do 5. Jan 2017, 13:24

Re: SSL/TLS certificate problems on server...  [SOLVED]

Beitrag von Tobi »

Try adding

Code: Alles auswählen


ProxyPass /.well-known/acme-challenge !

before this line

Code: Alles auswählen


ProxyPass "/" "http://127.0.0.1:3001/"

This should prevent rewriting the ACME challenge.
Gruß,
Tobi


-----------------------------
wewoco.de
Das Forum für Reseller, Digital-Agenturen, Bildschirmarbeiter und Mäuseschubser
Benutzeravatar
gusarg81
Beiträge: 19
Registriert: So 18. Jul 2021, 02:20
Wohnort: Argentina
Kontaktdaten:

Re: SSL/TLS certificate problems on server...

Beitrag von gusarg81 »

Tobi hat geschrieben: Sa 9. Okt 2021, 10:50 Try adding

Code: Alles auswählen


ProxyPass /.well-known/acme-challenge !

before this line

Code: Alles auswählen


ProxyPass "/" "http://127.0.0.1:3001/"

This should prevent rewriting the ACME challenge.
Hi,

Now is working with this. Thanks!
Antworten