Page 1 of 1
SSL/TLS certificate problems on server...
Posted: Thu 7. Oct 2021, 18:59
by gusarg81
Hi,
Since this week I am receiving this emails, with subject "SSL/TLS certificate problems on server server.gdnet.ar" (which server.gdnet.ar is the domain of my server), with this meesage:
Hello gdnet!
During the routine check of the SSL/TLS certificates, the following problems occurred:
------------------------------------
Certificate name: chat.gdnet.ar (Let's Encrypt)
Curl: Resolving timed out after 15000 milliseconds (
https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:10:25 (14 day(s) left)
Certificate name: kanban.gdnet.ar (Let's Encrypt)
Curl: Could not resolve host: acme-v02.api.letsencrypt.org (
https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:08:24 (14 day(s) left)
Certificate name: netdata.gdnet.ar (Let's Encrypt)
Curl: Could not resolve host: acme-v02.api.letsencrypt.org (
https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:12:38 (14 day(s) left)
Certificate name: projects.gdnet.ar (Let's Encrypt)
Curl: Resolving timed out after 15000 milliseconds (
https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:16:13 (14 day(s) left)
------------------------------------
Best regards,
Your support team
---
This message was generated automatically.
Please do not reply to this email.
Now, all those domains do respond locally (and of course outside the server). What could be causing this problem suddenly? Some kind of "automatic" blocking of letsencrypt domains/services?
Like I said, this is new. Never received these messages.
Thanks in advance.
Re: SSL/TLS certificate problems on server...
Posted: Thu 7. Oct 2021, 23:00
by nikko
On the "14 days left" I see - so I think- this is the first message. Maybe a temporary problem of LE.
But if the message come nightly again and again... You have modified the OS or the system? Your provider use new firewall rules?
You can add a subdomain with a new certificate?
Re: SSL/TLS certificate problems on server...
Posted: Thu 7. Oct 2021, 23:50
by gusarg81
nikko wrote: ↑Thu 7. Oct 2021, 23:00
On the "14 days left" I see - so I think- this is the first message. Maybe a temporary problem of LE.
But if the message come nightly again and again... You have modified the OS or the system? Your provider use new firewall rules?
You can add a subdomain with a new certificate?
Hi,
I didn't modified anything in my server at all. And no, is no the first. This is the 5º day by now with the same message.
No firewall rules changed, no DNS changed. Like I said, all those domains does response locally (testes with host and nslookup)
is there a way test it? Maybe disabling Let's Encrypt and enabling it again for those domains? I have others domains with Let's Encrypt which are not included in the message list, which is even more weird.
Re: SSL/TLS certificate problems on server...
Posted: Fri 8. Oct 2021, 06:06
by nikko
gusarg81 wrote: ↑Thu 7. Oct 2021, 23:50
nikko wrote: ↑Thu 7. Oct 2021, 23:00
You can add a subdomain with a new certificate?
Maybe disabling Let's Encrypt and enabling it again for those domains?
Sure, two ways to findout more. Pls have a look into -> Admin -> System Status -> Logs (ssl-maintenance.log) for futher information.
Which OS is runnig? Virtual machine, which virtualization?
Re: SSL/TLS certificate problems on server...
Posted: Fri 8. Oct 2021, 09:40
by Alexander
Can you ping the domain "acme-v02.api.letsencrypt.org" from your server?
You can also try to manually trigger the renew of certificates. To do so, enter the command: "keyhelp-toolbox" in the CLI and navigate to "6)" -> "8)".
Maybe your server has some kind of capacity issues, when performing this renew during the default time frame.
Re: SSL/TLS certificate problems on server...
Posted: Fri 8. Oct 2021, 22:47
by gusarg81
nikko wrote: ↑Fri 8. Oct 2021, 06:06
gusarg81 wrote: ↑Thu 7. Oct 2021, 23:50
nikko wrote: ↑Thu 7. Oct 2021, 23:00
You can add a subdomain with a new certificate?
Maybe disabling Let's Encrypt and enabling it again for those domains?
Sure, two ways to findout more. Pls have a look into -> Admin -> System Status -> Logs (ssl-maintenance.log) for futher information.
Which OS is runnig? Virtual machine, which virtualization?
OS: Ubuntu 20.04 (fresh installed when migrated to KeyHelp). Native installation (no VM).
Attached log.
Re: SSL/TLS certificate problems on server...
Posted: Fri 8. Oct 2021, 23:21
by gusarg81
This could be a problem? For example, one of the domain that is failing (chat.gdnet.ar): I have a custom settings for apache in all those domains that are failing, like this one:
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:3001%{REQUEST_URI} [P]
ProxyPassMatch "^/(sockjs\/.*\/websocket)$" "ws://127.0.0.1:3001/$1"
ProxyPass "/" "
http://127.0.0.1:3001/"
ProxyPassReverse "/" "
http://127.0.0.1:3001/"
This could be the problem?
The weid thing is that is not new, I've applied this settings the first day I've migrated to KeyHelp months ago.
Re: SSL/TLS certificate problems on server... [SOLVED]
Posted: Sat 9. Oct 2021, 10:50
by Tobi
Try adding
Code: Select all
ProxyPass /.well-known/acme-challenge !
before this line
Code: Select all
ProxyPass "/" "http://127.0.0.1:3001/"
This should prevent rewriting the ACME challenge.
Re: SSL/TLS certificate problems on server...
Posted: Mon 11. Oct 2021, 17:08
by gusarg81
Tobi wrote: ↑Sat 9. Oct 2021, 10:50
Try adding
Code: Select all
ProxyPass /.well-known/acme-challenge !
before this line
Code: Select all
ProxyPass "/" "http://127.0.0.1:3001/"
This should prevent rewriting the ACME challenge.
Hi,
Now is working with this. Thanks!
Re: SSL/TLS certificate problems on server...
Posted: Wed 30. Mar 2022, 15:49
by gusarg81
Hi,
Still I have this problem with other domains. For example, this one:
What is wrong here? Thanks in advance.
Re: SSL/TLS certificate problems on server...
Posted: Wed 30. Mar 2022, 16:27
by Tobi
Try ProxyPass before Rewriting.
I would guess the SSL Request is actually upgraded to your webservice.
Re: SSL/TLS certificate problems on server...
Posted: Wed 30. Mar 2022, 16:36
by gusarg81
I've tried that, but stil not working.
EDIT: also tried:
<Location /.well-known/acme-challenge>
ProxyPass !
</Location>
No success either
Re: SSL/TLS certificate problems on server...
Posted: Fri 16. Dec 2022, 12:08
by gusarg81
Hi,
I still having problems with one subdomain with this. The current setting in HTTS directive is:
But is not working when auto renewing the cert:
Certificate name: chat.gdnet.ar (Let's Encrypt)
Local resolving checks failed for domain "chat.gdnet.ar". Please ensure that your domain is locally resolvable!
Any idea how to fix this?
Re: SSL/TLS certificate problems on server...
Posted: Mon 19. Dec 2022, 16:21
by BasHeijermans
Maybe this helps?
https://stackoverflow.com/a/23368060
Person there seems to have the same type of issue.