SSL/TLS certificate problems on server... [SOLVED]

[gusarg81]

Hi,

Since this week I am receiving this emails, with subject "SSL/TLS certificate problems on server server.gdnet.ar" (which server.gdnet.ar is the domain of my server), with this meesage:

Hello gdnet!

During the routine check of the SSL/TLS certificates, the following problems occurred:

------------------------------------
Certificate name: chat.gdnet.ar (Let's Encrypt)

Curl: Resolving timed out after 15000 milliseconds (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:10:25 (14 day(s) left)


Certificate name: kanban.gdnet.ar (Let's Encrypt)

Curl: Could not resolve host: acme-v02.api.letsencrypt.org (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:08:24 (14 day(s) left)


Certificate name: netdata.gdnet.ar (Let's Encrypt)

Curl: Could not resolve host: acme-v02.api.letsencrypt.org (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:12:38 (14 day(s) left)


Certificate name: projects.gdnet.ar (Let's Encrypt)

Curl: Resolving timed out after 15000 milliseconds (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:16:13 (14 day(s) left)
------------------------------------

Best regards,
Your support team


---
This message was generated automatically.
Please do not reply to this email.

Now, all those domains do respond locally (and of course outside the server). What could be causing this problem suddenly? Some kind of "automatic" blocking of letsencrypt domains/services?

Like I said, this is new. Never received these messages.

Thanks in advance.

[nikko]

On the "14 days left" I see - so I think- this is the first message. Maybe a temporary problem of LE.
But if the message come nightly again and again... You have modified the OS or the system? Your provider use new firewall rules?
You can add a subdomain with a new certificate?

[gusarg81]

On the "14 days left" I see - so I think- this is the first message. Maybe a temporary problem of LE.
But if the message come nightly again and again... You have modified the OS or the system? Your provider use new firewall rules?
You can add a subdomain with a new certificate?

Hi,

I didn't modified anything in my server at all. And no, is no the first. This is the 5º day by now with the same message.

No firewall rules changed, no DNS changed. Like I said, all those domains does response locally (testes with host and nslookup)

is there a way test it? Maybe disabling Let's Encrypt and enabling it again for those domains? I have others domains with Let's Encrypt which are not included in the message list, which is even more weird.

[nikko]

You can add a subdomain with a new certificate?

Maybe disabling Let's Encrypt and enabling it again for those domains?

Sure, two ways to findout more. Pls have a look into -> Admin -> System Status -> Logs (ssl-maintenance.log) for futher information.

Which OS is runnig? Virtual machine, which virtualization?

[Alexander]

Can you ping the domain "acme-v02.api.letsencrypt.org" from your server?

You can also try to manually trigger the renew of certificates. To do so, enter the command: "keyhelp-toolbox" in the CLI and navigate to "6)" -> "8)".
Maybe your server has some kind of capacity issues, when performing this renew during the default time frame.

[gusarg81]

You can add a subdomain with a new certificate?

Maybe disabling Let's Encrypt and enabling it again for those domains?

Sure, two ways to findout more. Pls have a look into -> Admin -> System Status -> Logs (ssl-maintenance.log) for futher information.

Which OS is runnig? Virtual machine, which virtualization?

OS: Ubuntu 20.04 (fresh installed when migrated to KeyHelp). Native installation (no VM).
Attached log.

[gusarg81]

This could be a problem? For example, one of the domain that is failing (chat.gdnet.ar): I have a custom settings for apache in all those domains that are failing, like this one:

RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:3001%{REQUEST_URI} [P]

ProxyPassMatch "^/(sockjs\/.*\/websocket)$" "ws://127.0.0.1:3001/$1"
ProxyPass "/" "http://127.0.0.1:3001/"
ProxyPassReverse "/" "http://127.0.0.1:3001/"

This could be the problem?

The weid thing is that is not new, I've applied this settings the first day I've migrated to KeyHelp months ago.

[Tobi]

Try adding

Code: Select all

ProxyPass /.well-known/acme-challenge !

before this line

Code: Select all

ProxyPass "/" "http://127.0.0.1:3001/"

This should prevent rewriting the ACME challenge.

[gusarg81]

Try adding

Code: Select all

ProxyPass /.well-known/acme-challenge !

before this line

Code: Select all

ProxyPass "/" "http://127.0.0.1:3001/"

This should prevent rewriting the ACME challenge.

Hi,

Now is working with this. Thanks!

[gusarg81]

Hi,

Still I have this problem with other domains. For example, this one:

RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://127.0.0.1:3000/$1 [P,L]

ProxyPreserveHost On
ProxyPass /.well-known/acme-challenge !
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/

What is wrong here? Thanks in advance.

[Tobi]

Try ProxyPass before Rewriting.
I would guess the SSL Request is actually upgraded to your webservice.

[gusarg81]

I've tried that, but stil not working.

EDIT: also tried:

<Location /.well-known/acme-challenge>
ProxyPass !
</Location>

No success either

[gusarg81]

Hi,

I still having problems with one subdomain with this. The current setting in HTTS directive is:

ProxyPass /.well-known !

RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://127.0.0.1:3000/$1 [P,L]

ProxyPreserveHost On
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/

But is not working when auto renewing the cert:

Certificate name: chat.gdnet.ar (Let's Encrypt)
Local resolving checks failed for domain "chat.gdnet.ar". Please ensure that your domain is locally resolvable!

Any idea how to fix this?

[BasHeijermans]

Maybe this helps?

https://stackoverflow.com/a/23368060

Person there seems to have the same type of issue.