SSL/TLS certificate problems on server...  [SOLVED]

Have you discovered a bug? Tell us about it.
Post Reply
User avatar
gusarg81
Posts: 33
Joined: Sun 18. Jul 2021, 02:20
Location: Argentina
Contact:

SSL/TLS certificate problems on server...

Post by gusarg81 »

Hi,

Since this week I am receiving this emails, with subject "SSL/TLS certificate problems on server server.gdnet.ar" (which server.gdnet.ar is the domain of my server), with this meesage:
Hello gdnet!

During the routine check of the SSL/TLS certificates, the following problems occurred:

------------------------------------
Certificate name: chat.gdnet.ar (Let's Encrypt)

Curl: Resolving timed out after 15000 milliseconds (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:10:25 (14 day(s) left)


Certificate name: kanban.gdnet.ar (Let's Encrypt)

Curl: Could not resolve host: acme-v02.api.letsencrypt.org (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:08:24 (14 day(s) left)


Certificate name: netdata.gdnet.ar (Let's Encrypt)

Curl: Could not resolve host: acme-v02.api.letsencrypt.org (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:12:38 (14 day(s) left)


Certificate name: projects.gdnet.ar (Let's Encrypt)

Curl: Resolving timed out after 15000 milliseconds (https://acme-v02.api.letsencrypt.org/directory)
Valid until: 2021-10-21 20:16:13 (14 day(s) left)
------------------------------------

Best regards,
Your support team


---
This message was generated automatically.
Please do not reply to this email.
Now, all those domains do respond locally (and of course outside the server). What could be causing this problem suddenly? Some kind of "automatic" blocking of letsencrypt domains/services?

Like I said, this is new. Never received these messages.

Thanks in advance.
nikko
Posts: 914
Joined: Fri 15. Apr 2016, 16:11

Re: SSL/TLS certificate problems on server...

Post by nikko »

On the "14 days left" I see - so I think- this is the first message. Maybe a temporary problem of LE.
But if the message come nightly again and again... You have modified the OS or the system? Your provider use new firewall rules?
You can add a subdomain with a new certificate?
The software said: Requires Win Vista®, 7®, 8® or better. And so I installed Linux.
User avatar
gusarg81
Posts: 33
Joined: Sun 18. Jul 2021, 02:20
Location: Argentina
Contact:

Re: SSL/TLS certificate problems on server...

Post by gusarg81 »

nikko wrote: Thu 7. Oct 2021, 23:00 On the "14 days left" I see - so I think- this is the first message. Maybe a temporary problem of LE.
But if the message come nightly again and again... You have modified the OS or the system? Your provider use new firewall rules?
You can add a subdomain with a new certificate?
Hi,

I didn't modified anything in my server at all. And no, is no the first. This is the 5º day by now with the same message.

No firewall rules changed, no DNS changed. Like I said, all those domains does response locally (testes with host and nslookup)

is there a way test it? Maybe disabling Let's Encrypt and enabling it again for those domains? I have others domains with Let's Encrypt which are not included in the message list, which is even more weird.
nikko
Posts: 914
Joined: Fri 15. Apr 2016, 16:11

Re: SSL/TLS certificate problems on server...

Post by nikko »

gusarg81 wrote: Thu 7. Oct 2021, 23:50
nikko wrote: Thu 7. Oct 2021, 23:00 You can add a subdomain with a new certificate?
Maybe disabling Let's Encrypt and enabling it again for those domains?
Sure, two ways to findout more. Pls have a look into -> Admin -> System Status -> Logs (ssl-maintenance.log) for futher information.

Which OS is runnig? Virtual machine, which virtualization?
The software said: Requires Win Vista®, 7®, 8® or better. And so I installed Linux.
User avatar
Alexander
Keyweb AG
Posts: 3809
Joined: Wed 20. Jan 2016, 02:23

Re: SSL/TLS certificate problems on server...

Post by Alexander »

Can you ping the domain "acme-v02.api.letsencrypt.org" from your server?

You can also try to manually trigger the renew of certificates. To do so, enter the command: "keyhelp-toolbox" in the CLI and navigate to "6)" -> "8)".
Maybe your server has some kind of capacity issues, when performing this renew during the default time frame.
Mit freundlichen Grüßen / Best regards
Alexander Mahr

**************************************************************
Keyweb AG - Die Hosting Marke
Neuwerkstr. 45/46, 99084 Erfurt / Germany
http://www.keyweb.de - http://www.keyhelp.de
**************************************************************
User avatar
gusarg81
Posts: 33
Joined: Sun 18. Jul 2021, 02:20
Location: Argentina
Contact:

Re: SSL/TLS certificate problems on server...

Post by gusarg81 »

nikko wrote: Fri 8. Oct 2021, 06:06
gusarg81 wrote: Thu 7. Oct 2021, 23:50
nikko wrote: Thu 7. Oct 2021, 23:00 You can add a subdomain with a new certificate?
Maybe disabling Let's Encrypt and enabling it again for those domains?
Sure, two ways to findout more. Pls have a look into -> Admin -> System Status -> Logs (ssl-maintenance.log) for futher information.

Which OS is runnig? Virtual machine, which virtualization?
OS: Ubuntu 20.04 (fresh installed when migrated to KeyHelp). Native installation (no VM).
Attached log.
Attachments
ssl-maintenance.log
(8.66 KiB) Downloaded 171 times
User avatar
gusarg81
Posts: 33
Joined: Sun 18. Jul 2021, 02:20
Location: Argentina
Contact:

Re: SSL/TLS certificate problems on server...

Post by gusarg81 »

This could be a problem? For example, one of the domain that is failing (chat.gdnet.ar): I have a custom settings for apache in all those domains that are failing, like this one:
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
RewriteRule .* ws://127.0.0.1:3001%{REQUEST_URI} [P]

ProxyPassMatch "^/(sockjs\/.*\/websocket)$" "ws://127.0.0.1:3001/$1"
ProxyPass "/" "http://127.0.0.1:3001/"
ProxyPassReverse "/" "http://127.0.0.1:3001/"
This could be the problem?

The weid thing is that is not new, I've applied this settings the first day I've migrated to KeyHelp months ago.
User avatar
Tobi
Community Moderator
Posts: 2812
Joined: Thu 5. Jan 2017, 13:24

Re: SSL/TLS certificate problems on server...  [SOLVED]

Post by Tobi »

Try adding

Code: Select all


ProxyPass /.well-known/acme-challenge !

before this line

Code: Select all


ProxyPass "/" "http://127.0.0.1:3001/"

This should prevent rewriting the ACME challenge.
Gruß,
Tobi


-----------------------------
wewoco.de
Das Forum für Reseller, Digital-Agenturen, Bildschirmarbeiter und Mäuseschubser
User avatar
gusarg81
Posts: 33
Joined: Sun 18. Jul 2021, 02:20
Location: Argentina
Contact:

Re: SSL/TLS certificate problems on server...

Post by gusarg81 »

Tobi wrote: Sat 9. Oct 2021, 10:50 Try adding

Code: Select all


ProxyPass /.well-known/acme-challenge !

before this line

Code: Select all


ProxyPass "/" "http://127.0.0.1:3001/"

This should prevent rewriting the ACME challenge.
Hi,

Now is working with this. Thanks!
User avatar
gusarg81
Posts: 33
Joined: Sun 18. Jul 2021, 02:20
Location: Argentina
Contact:

Re: SSL/TLS certificate problems on server...

Post by gusarg81 »

Hi,

Still I have this problem with other domains. For example, this one:
RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://127.0.0.1:3000/$1 [P,L]

ProxyPreserveHost On
ProxyPass /.well-known/acme-challenge !
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
What is wrong here? Thanks in advance.
User avatar
Tobi
Community Moderator
Posts: 2812
Joined: Thu 5. Jan 2017, 13:24

Re: SSL/TLS certificate problems on server...

Post by Tobi »

Try ProxyPass before Rewriting.
I would guess the SSL Request is actually upgraded to your webservice.
Gruß,
Tobi


-----------------------------
wewoco.de
Das Forum für Reseller, Digital-Agenturen, Bildschirmarbeiter und Mäuseschubser
User avatar
gusarg81
Posts: 33
Joined: Sun 18. Jul 2021, 02:20
Location: Argentina
Contact:

Re: SSL/TLS certificate problems on server...

Post by gusarg81 »

I've tried that, but stil not working.

EDIT: also tried:
<Location /.well-known/acme-challenge>
ProxyPass !
</Location>
No success either :(
User avatar
gusarg81
Posts: 33
Joined: Sun 18. Jul 2021, 02:20
Location: Argentina
Contact:

Re: SSL/TLS certificate problems on server...

Post by gusarg81 »

Hi,

I still having problems with one subdomain with this. The current setting in HTTS directive is:
ProxyPass /.well-known !

RewriteEngine On
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket [NC]
RewriteRule /(.*) http://127.0.0.1:3000/$1 [P,L]

ProxyPreserveHost On
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
But is not working when auto renewing the cert:
Certificate name: chat.gdnet.ar (Let's Encrypt)
Local resolving checks failed for domain "chat.gdnet.ar". Please ensure that your domain is locally resolvable!
Any idea how to fix this?
User avatar
BasHeijermans
KeyHelp Translator
Posts: 158
Joined: Mon 20. Jun 2022, 12:01
Location: Heppen Belgium
Contact:

Re: SSL/TLS certificate problems on server...

Post by BasHeijermans »

Maybe this helps?

https://stackoverflow.com/a/23368060

Person there seems to have the same type of issue.
Greetings Bas.

Ik heb KeyHelp naar het Nederlands vertaald, contacteer me als er translatie fouten zijn.
(I have translated KeyHelp into Dutch, contact me if there are translation errors.)
Next version 24 of KeyHelp 100% translated.
Post Reply