SSL/TLS certificate problems on server  [GELÖST]

Haben Sie einen Bug entdeckt? Teilen Sie es uns mit.
Post Reply
User avatar
24unix
Posts: 793
Joined: Sun 21. Jun 2020, 17:16
Location: Kollmar
Contact:

SSL/TLS certificate problems on server

Post by 24unix »

Ich bin sicher, dass die Ursache des Problems bei KeyHelp liegt
(Probleme ohne KeyHelp-Bezug gehören ins Offtopic-Forum)

Nein, bin ich mir nicht, bin ehrlich gesagt ratlos.



Server-Betriebssystem + Version
(z.B. Ubuntu 20.04)

Debian Bullseye


Eingesetzte Server-Virtualisierung-Technologie
(z.B. keine, OpenVZ, KVM, XEN, etc.)

OpenVZ

KeyHelp-Version + Build-Nummer
(z.B. 22.0 - Build 2366)

22.1.1 (Build 2690)


Problembeschreibung / Fehlermeldungen

Zertifikate werden nicht mehr erneuert.


Erwartetes Ergebnis

Neue Zertifikate

Tatsächliches Ergebnis

Kene Zertifikate

Schritte zur Reproduktion
./.

Zusätzliche Informationen
(z.B. kürzlich durchgeführte Änderungen am Server, Auszüge aus Protokolldateien (/var/log/*, /var/log/keyhelp/php-error.log, etc.))

Ich habe keine Änderungen gemacht, und seit drei Tagen bekomme ich jede Nacht so eine Mail:
Hello tracer!

During the routine check of the SSL/TLS certificates, the following problems occurred:

------------------------------------
Certificate name: rchelifan.org (Let's Encrypt)

Verification ended with an error.
Details: 85.214.79.33: Fetching https://rchelifan.org/.well-known/acme- ... s3477onVxc: Error getting validation data
Type: urn:ietf:params:acme:error:connection
Full response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"85.214.79.33: Fetching https:\/\/rchelifan.org\/.well-known\/acme-challenge\/YAJbWSTsuBUEP47qdkTEv6xsTVyx7JV83s3477onVxc: Error getting validation data","status":400},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/139874234796\/7RPSDg","token":"YAJbWSTsuBUEP47qdkTEv6xsTVyx7JV83s3477onVxc","validationRecord":[{"url":"http:\/\/rchelifan.org\/.well-known\/acme-challenge\/YAJbWSTsuBUEP47qdkTEv6xsTVyx7JV83s3477onVxc","hostname":"rchelifan.org","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"},{"url":"http:\/\/rchelifan.org\/.well-known\/acme-challenge\/YAJbWSTsuBUEP47qdkTEv6xsTVyx7JV83s3477onVxc","hostname":"rchelifan.org","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"85.214.79.33"},{"url":"https:\/\/rchelifan.org\/.well-known\/acme-challenge\/YAJbWSTsuBUEP47qdkTEv6xsTVyx7JV83s3477onVxc","hostname":"rchelifan.org","port":"443","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"}],"validated":"2022-08-08T22:19:39Z"}
Valid until: 2022-08-26 23:19:18 (17 day(s) left)


Certificate name: aussempott.de (Let's Encrypt)

Verification ended with an error.
Details: 85.214.79.33: Fetching https://aussempott.de/.well-known/acme- ... LR1cDIObl0: Error getting validation data
Type: urn:ietf:params:acme:error:connection
Full response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"85.214.79.33: Fetching https:\/\/aussempott.de\/.well-known\/acme-challenge\/D1aGsNmZwEvUvCl9FWvMsm8jSqS0cA-DMLR1cDIObl0: Error getting validation data","status":400},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/139874263806\/uRTzrw","token":"D1aGsNmZwEvUvCl9FWvMsm8jSqS0cA-DMLR1cDIObl0","validationRecord":[{"url":"http:\/\/aussempott.de\/.well-known\/acme-challenge\/D1aGsNmZwEvUvCl9FWvMsm8jSqS0cA-DMLR1cDIObl0","hostname":"aussempott.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"},{"url":"http:\/\/aussempott.de\/.well-known\/acme-challenge\/D1aGsNmZwEvUvCl9FWvMsm8jSqS0cA-DMLR1cDIObl0","hostname":"aussempott.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"85.214.79.33"},{"url":"https:\/\/aussempott.de\/.well-known\/acme-challenge\/D1aGsNmZwEvUvCl9FWvMsm8jSqS0cA-DMLR1cDIObl0","hostname":"aussempott.de","port":"443","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"}],"validated":"2022-08-08T22:19:47Z"}
Valid until: 2022-08-26 23:19:28 (17 day(s) left)


Certificate name: crowddataworker.de (Let's Encrypt)

Verification ended with an error.
Details: 85.214.79.33: Fetching https://crowddataworker.de/.well-known/ ... VWKPjSbotM: Error getting validation data
Type: urn:ietf:params:acme:error:connection
Full response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"85.214.79.33: Fetching https:\/\/crowddataworker.de\/.well-known\/acme-challenge\/SLYPDfTsHsykcN6Oaydg72psy45OJNJPbVWKPjSbotM: Error getting validation data","status":400},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/139874298226\/OXBZqw","token":"SLYPDfTsHsykcN6Oaydg72psy45OJNJPbVWKPjSbotM","validationRecord":[{"url":"http:\/\/crowddataworker.de\/.well-known\/acme-challenge\/SLYPDfTsHsykcN6Oaydg72psy45OJNJPbVWKPjSbotM","hostname":"crowddataworker.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"},{"url":"http:\/\/crowddataworker.de\/.well-known\/acme-challenge\/SLYPDfTsHsykcN6Oaydg72psy45OJNJPbVWKPjSbotM","hostname":"crowddataworker.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"85.214.79.33"},{"url":"https:\/\/crowddataworker.de\/.well-known\/acme-challenge\/SLYPDfTsHsykcN6Oaydg72psy45OJNJPbVWKPjSbotM","hostname":"crowddataworker.de","port":"443","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"}],"validated":"2022-08-08T22:19:57Z"}
Valid until: 2022-08-27 23:19:10 (18 day(s) left)


Certificate name: fairdns.de (Let's Encrypt)

Verification ended with an error.
Details: 85.214.79.33: Fetching https://fairdns.de/.well-known/acme-cha ... GDjDsINXns: Error getting validation data
Type: urn:ietf:params:acme:error:connection
Full response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"85.214.79.33: Fetching https:\/\/fairdns.de\/.well-known\/acme-challenge\/ZvohxC1OLN_uAv-h2d-jQG-CRrjT1bUBmGDjDsINXns: Error getting validation data","status":400},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/139874378336\/XQUVFg","token":"ZvohxC1OLN_uAv-h2d-jQG-CRrjT1bUBmGDjDsINXns","validationRecord":[{"url":"http:\/\/fairdns.de\/.well-known\/acme-challenge\/ZvohxC1OLN_uAv-h2d-jQG-CRrjT1bUBmGDjDsINXns","hostname":"fairdns.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"},{"url":"http:\/\/fairdns.de\/.well-known\/acme-challenge\/ZvohxC1OLN_uAv-h2d-jQG-CRrjT1bUBmGDjDsINXns","hostname":"fairdns.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"85.214.79.33"},{"url":"https:\/\/fairdns.de\/.well-known\/acme-challenge\/ZvohxC1OLN_uAv-h2d-jQG-CRrjT1bUBmGDjDsINXns","hostname":"fairdns.de","port":"443","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"}],"validated":"2022-08-08T22:20:11Z"}
Valid until: 2022-08-26 23:19:57 (17 day(s) left)


Certificate name: tzazicke.de (Let's Encrypt)

Verification ended with an error.
Details: 85.214.79.33: Fetching https://tzazicke.de/.well-known/acme-ch ... 41r4-N59-s: Error getting validation data
Type: urn:ietf:params:acme:error:connection
Full response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"85.214.79.33: Fetching https:\/\/tzazicke.de\/.well-known\/acme-challenge\/cBtNzlAF62wlWQ8Gz1gmM5j4o7ZzCcBcU41r4-N59-s: Error getting validation data","status":400},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/139874462516\/6FW6KQ","token":"cBtNzlAF62wlWQ8Gz1gmM5j4o7ZzCcBcU41r4-N59-s","validationRecord":[{"url":"http:\/\/tzazicke.de\/.well-known\/acme-challenge\/cBtNzlAF62wlWQ8Gz1gmM5j4o7ZzCcBcU41r4-N59-s","hostname":"tzazicke.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"},{"url":"http:\/\/tzazicke.de\/.well-known\/acme-challenge\/cBtNzlAF62wlWQ8Gz1gmM5j4o7ZzCcBcU41r4-N59-s","hostname":"tzazicke.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"85.214.79.33"},{"url":"https:\/\/tzazicke.de\/.well-known\/acme-challenge\/cBtNzlAF62wlWQ8Gz1gmM5j4o7ZzCcBcU41r4-N59-s","hostname":"tzazicke.de","port":"443","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"}],"validated":"2022-08-08T22:20:26Z"}
Valid until: 2022-08-26 23:20:11 (17 day(s) left)


Certificate name: tierschnack.de (Let's Encrypt)

Verification ended with an error.
Details: 85.214.79.33: Fetching https://tierschnack.de/.well-known/acme ... npFkalanYo: Error getting validation data
Type: urn:ietf:params:acme:error:connection
Full response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"85.214.79.33: Fetching https:\/\/tierschnack.de\/.well-known\/acme-challenge\/XrNw68d9hR7Z1qTkD4w_2TpXm5hOt506vnpFkalanYo: Error getting validation data","status":400},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/139874552486\/C0keew","token":"XrNw68d9hR7Z1qTkD4w_2TpXm5hOt506vnpFkalanYo","validationRecord":[{"url":"http:\/\/tierschnack.de\/.well-known\/acme-challenge\/XrNw68d9hR7Z1qTkD4w_2TpXm5hOt506vnpFkalanYo","hostname":"tierschnack.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"},{"url":"http:\/\/tierschnack.de\/.well-known\/acme-challenge\/XrNw68d9hR7Z1qTkD4w_2TpXm5hOt506vnpFkalanYo","hostname":"tierschnack.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"85.214.79.33"},{"url":"https:\/\/tierschnack.de\/.well-known\/acme-challenge\/XrNw68d9hR7Z1qTkD4w_2TpXm5hOt506vnpFkalanYo","hostname":"tierschnack.de","port":"443","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"}],"validated":"2022-08-08T22:20:44Z"}
Valid until: 2022-08-26 23:20:20 (17 day(s) left)


Certificate name: francis.tierschnack.de (Let's Encrypt)

Verification ended with an error.
Details: 85.214.79.33: Fetching https://francis.tierschnack.de/.well-kn ... DBZRUhnyz4: Error getting validation data
Type: urn:ietf:params:acme:error:connection
Full response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"85.214.79.33: Fetching https:\/\/francis.tierschnack.de\/.well-known\/acme-challenge\/JKMrlniXJZq-MMtmRauMNqCJoqJQqKY7ODBZRUhnyz4: Error getting validation data","status":400},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/139874595256\/H3xBwA","token":"JKMrlniXJZq-MMtmRauMNqCJoqJQqKY7ODBZRUhnyz4","validationRecord":[{"url":"http:\/\/francis.tierschnack.de\/.well-known\/acme-challenge\/JKMrlniXJZq-MMtmRauMNqCJoqJQqKY7ODBZRUhnyz4","hostname":"francis.tierschnack.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"},{"url":"http:\/\/francis.tierschnack.de\/.well-known\/acme-challenge\/JKMrlniXJZq-MMtmRauMNqCJoqJQqKY7ODBZRUhnyz4","hostname":"francis.tierschnack.de","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"85.214.79.33"},{"url":"https:\/\/francis.tierschnack.de\/.well-known\/acme-challenge\/JKMrlniXJZq-MMtmRauMNqCJoqJQqKY7ODBZRUhnyz4","hostname":"francis.tierschnack.de","port":"443","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"}],"validated":"2022-08-08T22:20:55Z"}
Valid until: 2022-08-26 23:20:28 (17 day(s) left)


Certificate name: echome.24unix.net (Let's Encrypt)

Verification ended with an error.
Details: 85.214.79.33: Fetching https://echome.24unix.net/.well-known/a ... lX1xaiwt4E: Error getting validation data
Type: urn:ietf:params:acme:error:connection
Full response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"85.214.79.33: Fetching https:\/\/echome.24unix.net\/.well-known\/acme-challenge\/A4oIw8MLDZ80XHhAMXWjsTek84U_18aDPlX1xaiwt4E: Error getting validation data","status":400},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/139874788026\/h7yeSA","token":"A4oIw8MLDZ80XHhAMXWjsTek84U_18aDPlX1xaiwt4E","validationRecord":[{"url":"http:\/\/echome.24unix.net\/.well-known\/acme-challenge\/A4oIw8MLDZ80XHhAMXWjsTek84U_18aDPlX1xaiwt4E","hostname":"echome.24unix.net","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"},{"url":"http:\/\/echome.24unix.net\/.well-known\/acme-challenge\/A4oIw8MLDZ80XHhAMXWjsTek84U_18aDPlX1xaiwt4E","hostname":"echome.24unix.net","port":"80","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"85.214.79.33"},{"url":"https:\/\/echome.24unix.net\/.well-known\/acme-challenge\/A4oIw8MLDZ80XHhAMXWjsTek84U_18aDPlX1xaiwt4E","hostname":"echome.24unix.net","port":"443","addressesResolved":["85.214.79.33","2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"],"addressUsed":"2a01:238:42db:7400:d0ef:e94b:7f8a:6f55"}],"validated":"2022-08-08T22:21:31Z"}
Valid until: 2022-08-27 23:20:25 (18 day(s) left)
------------------------------------

Best regards,
Your support team


---
This message was generated automatically.
Please do not reply to this email.
mfg Micha
User avatar
Alexander
Keyweb AG
Posts: 2857
Joined: Wed 20. Jan 2016, 02:23

Re: SSL/TLS certificate problems on server

Post by Alexander »

Grüße,

such einmal nach der Meldung: "Error getting validation data". Das bringt ein paar Beiträge aus der Let's Encrypt Community zutage.

Weiterhin kannst du einmal hiermit schauen: https://letsdebug.net/
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
User avatar
MLan
Posts: 435
Joined: Wed 20. Sep 2017, 23:05
Location: @home

Re: SSL/TLS certificate problems on server

Post by MLan »

User avatar
24unix
Posts: 793
Joined: Sun 21. Jun 2020, 17:16
Location: Kollmar
Contact:

Re: SSL/TLS certificate problems on server

Post by 24unix »

Vielen Dank euch beiden, manchmal ist man echt betriebsblind.
mfg Micha
User avatar
24unix
Posts: 793
Joined: Sun 21. Jun 2020, 17:16
Location: Kollmar
Contact:

Re: SSL/TLS certificate problems on server

Post by 24unix »

Edit: Problem scheint beim IPv6 zu liegen, ich kann den Host aktuell via IPv6 nicht von zu Hause oder einem anderen vServer anpingen, ich prüfe das.




Hm, zu früh gefreut, als ich vorhin nach Hause kam und die Beiträge angclickt habe dachte ich, OK; ist bei mir im DNS was verbastelt.
Aber das sieht OK aus.

Ich bekomme eigentlich immer folgende Meldung:
AAAANotWorking
ERROR
crowddataworker.de has an AAAA (IPv6) record (2a01:238:42db:7400:d0ef:e94b:7f8a:6f55) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
Wahrscheinlich ein Verständnisproblem auf meiner Seite.

Ich habe bei allen Domains http => https aktiviert.

Code: Select all

Get "http://crowddataworker.de/.well-known/acme-challenge/letsdebug-test": dial tcp [2a01:238:42db:7400:d0ef:e94b:7f8a:6f55]:80: connect: permission denied
Müsste da nicht eine Weiterleitung erfolgen statt des permission denied?

Das sieht doch ok aus:

Code: Select all

% host crowddataworker.de
crowddataworker.de has address 85.214.79.33
crowddataworker.de has IPv6 address 2a01:238:42db:7400:d0ef:e94b:7f8a:6f55
crowddataworker.de mail is handled by 10 mail.crowddataworker.de.

2: venet0: <BROADCAST,POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default
    link/void
    inet 127.0.0.1/32 scope host venet0
       valid_lft forever preferred_lft forever
    inet 85.214.79.33/32 brd 85.214.79.33 scope global venet0:0
       valid_lft forever preferred_lft forever
    inet6 2a01:238:42db:7400:d0ef:e94b:7f8a:6f55/128 scope global
       valid_lft forever preferred_lft forever
Was mich wundert ist, dass es monatelang ohne Probleme ging, seit drei Tagen kommen die Mails, aber ich habe am Setup nichts geändert.

Edit2:

IONOS

Code: Select all

root@jarjar : ~
[2] # ping6 2a01:238:42db:7400:d0ef:e94b:7f8a:6f55
PING 2a01:238:42db:7400:d0ef:e94b:7f8a:6f55(2a01:238:42db:7400:d0ef:e94b:7f8a:6f55) 56 data bytes
From 2a01:238:10c:0:1042:2062:1082:1 icmp_seq=1 Destination unreachable: Administratively prohibited
NetCup:

Code: Select all

# ping6 2a01:238:42db:7400:d0ef:e94b:7f8a:6f55
PING 2a01:238:42db:7400:d0ef:e94b:7f8a:6f55(2a01:238:42db:7400:d0ef:e94b:7f8a:6f55) 56 data bytes
From 2a01:238:10c:0:1042:2062:1082:1 icmp_seq=1 Destination unreachable: Administratively prohibited [
Zu Hause:

Code: Select all

 % ping6 2a01:238:42db:7400:d0ef:e94b:7f8a:6f55
PING6(56=40+8+8 bytes) 2a03:7847:2252:199:d9a6:fee0:8c36:c830 --> 2a01:238:42db:7400:d0ef:e94b:7f8a:6f55
^C
--- 2a01:238:42db:7400:d0ef:e94b:7f8a:6f55 ping6 statistics ---
9 packets transmitted, 0 packets received, 100.0% packet loss
mfg Micha
User avatar
MLan
Posts: 435
Joined: Wed 20. Sep 2017, 23:05
Location: @home

Re: SSL/TLS certificate problems on server

Post by MLan »

Code: Select all

curl -4 -I https://crowddataworker.de/
HTTP/2 200  OK

Code: Select all

curl -6 -I http://crowddataworker.de/
curl -6 -I https://crowddataworker.de/

curl: (7) Failed to connect to crowddataworker.de port 443: Permission denied
Firewall ?
Falsche IPv6 im DNS ?
User avatar
24unix
Posts: 793
Joined: Sun 21. Jun 2020, 17:16
Location: Kollmar
Contact:

Re: SSL/TLS certificate problems on server  [GELÖST]

Post by 24unix »

MLan wrote: Tue 9. Aug 2022, 18:24

Code: Select all

curl -4 -I https://crowddataworker.de/
HTTP/2 200  OK

Code: Select all

curl -6 -I http://crowddataworker.de/
curl -6 -I https://crowddataworker.de/

curl: (7) Failed to connect to crowddataworker.de port 443: Permission denied
Firewall ?
Strato hat, anders als IONOS, keine Firewall vor den Kisten.
In der KH Firewall ist 80/443 erlaubt, unabhängig vom Protokoll.


Falsche IPv6 im DNS ?
[/quote]

IP im Panel: 2a01:238:42db:7400:d0ef:e94b:7f8a:6f55
Identisch zu der, die bei Strato angezeigt wird, identisch zu der, die der Server hat und mit der er selber sich pingen kann.


Der apache kennt die Domain auch:
port 443 namevhost crowddataworker.de (/etc/apache2/keyhelp/vhosts/tracer.conf:901)

curl -6 -I http://crowddataworker.de/
curl: (7) Failed to connect to crowddataworker.de port 80 after 4041 ms: Connection refused

Da bekomme ich von zu Hause connection refused statt wie bei Dir denied.
Aber warum will der nicht?

Es lief monatelang ohne Probleme :-(
mfg Micha
User avatar
24unix
Posts: 793
Joined: Sun 21. Jun 2020, 17:16
Location: Kollmar
Contact:

Re: SSL/TLS certificate problems on server

Post by 24unix »

So, Problem gelöst.

Warum auch immer war die IPv6 nicht mehr erreichbar, der Support hat es wohl hinbekommen.

Also, wenn ein AAAA existiert musst der Rechner auch zwingend darüber erreichbar sein, LE macht keinen Fallback auf die A Adresse.
mfg Micha
User avatar
Tobi
Community Moderator
Posts: 2121
Joined: Thu 5. Jan 2017, 13:24

Re: SSL/TLS certificate problems on server

Post by Tobi »

24unix wrote: Wed 10. Aug 2022, 11:36 Also, wenn ein AAAA existiert musst der Rechner auch zwingend darüber erreichbar sein, LE macht keinen Fallback auf die A Adresse.
Das wäre bei einem SSL Check auch ziemlich fragwürdig.
Du annoncierst über das DNS deine IPV6 Adresse und möchtest diese für ein SSL Zertifikat validieren.
Da kann ja nicht einfach stattdessen eine IPV4 Adresse verwendet werden.
Gruß,
Tobi


-----------------------------
wewoco.de
Das Forum für Reseller, Digital-Agenturen, Bildschirmarbeiter und Mäuseschubser
User avatar
24unix
Posts: 793
Joined: Sun 21. Jun 2020, 17:16
Location: Kollmar
Contact:

Re: SSL/TLS certificate problems on server

Post by 24unix »

Tobi wrote: Wed 10. Aug 2022, 12:11
24unix wrote: Wed 10. Aug 2022, 11:36 Also, wenn ein AAAA existiert musst der Rechner auch zwingend darüber erreichbar sein, LE macht keinen Fallback auf die A Adresse.
Das wäre bei einem SSL Check auch ziemlich fragwürdig.
Du annoncierst über das DNS deine IPV6 Adresse und möchtest diese für ein SSL Zertifikat validieren.
Da kann ja nicht einfach stattdessen eine IPV4 Adresse verwendet werden.

Wieso nicht?
Das Cert bestätigt die Domain, keine Adressen.
Es kann immer mal sein, dass (wie bei mir) der Link ausfällt. Blöd, wenn deshalb kein neues Cert ausgestellt wird.

Bei meiner BindAPI mache ich immer ein Fallback, wenn v6 nicht erreichbar ist und beides konfiguriert ist.
mfg Micha
User avatar
Tobi
Community Moderator
Posts: 2121
Joined: Thu 5. Jan 2017, 13:24

Re: SSL/TLS certificate problems on server

Post by Tobi »

Weil IPV4 und IPV6 nicht zwingend auf derselben Maschine beheimatet sein müssen.
Dein „IPV4 Fallback“ würde das gesamte System aushebeln…
Gruß,
Tobi


-----------------------------
wewoco.de
Das Forum für Reseller, Digital-Agenturen, Bildschirmarbeiter und Mäuseschubser
User avatar
24unix
Posts: 793
Joined: Sun 21. Jun 2020, 17:16
Location: Kollmar
Contact:

Re: SSL/TLS certificate problems on server

Post by 24unix »

Tobi wrote: Wed 10. Aug 2022, 19:00 Weil IPV4 und IPV6 nicht zwingend auf derselben Maschine beheimatet sein müssen.
Natürlich nicht.
Tobi wrote: Wed 10. Aug 2022, 19:00 Dein „IPV4 Fallback“ würde das gesamte System aushebeln…
Nein.

Es geht um die Domain, nicht die Adressen.
Was willst Du da aushebeln?
Zugriff auf meine Domain/meinen DNS habe nur ich.
mfg Micha
Post Reply