Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 29

Thread: LetsEncrypt - SSL certificate is not valid

  1. #11
    Join Date
    Dec 2019
    Beans
    27

    Re: LetsEncrypt - SSL certificate is not valid

    Quote Originally Posted by LHammonds View Post
    I do not see the [installed] text at the end. How did you install certbot? Compiled from source?

    Try these commands:
    Code:
    certbot --version
    certbot 0.40.0
    Code:
    which certbot
    /usr/bin/certbot
    thanks for reply!

    Code:
    certbot 1.8.0
    /usr/local/sbin/certbot
    
    
    sudo wget https://raw.githubusercontent.com/certbot/certbot/7f0fa18c570942238a7de73ed99945c3710408b4/letsencrypt-auto-source/letsencrypt-auto
    chmod a+x letsencrypt-auto
    ./letsencrypt-auto --dry-run

  2. #12
    Join Date
    Dec 2019
    Beans
    27

    Re: LetsEncrypt - SSL certificate is not valid

    certbot renew --dry-run works without any error output
    maybe something wrong with the Intermediate Certificates?
    https://scotthelme.co.uk/lets-encryp...ot-expiration/

  3. #13
    Join Date
    Dec 2019
    Beans
    27

    Re: LetsEncrypt - SSL certificate is not valid

    some more details

    Code:
    # openssl s_client -connect co2avatar.org:443 -servername co2avatar.org -showcerts
    issuer=C = US, O = Let's Encrypt, CN = R3
    
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Peer signature type: RSA-PSS
    Server Temp Key: X25519, 253 bits
    ---
    SSL handshake has read 4595 bytes and written 396 bytes
    Verification: OK
    ---
    New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: 407F1D7B08AED29BE618126CF34381CC3247B5A889A22FC71389AE8DCD7763E4
        Session-ID-ctx:  
        Resumption PSK: 93350F9B4946873A683373870A0BAEDBC380E1CCA51FDB8298379C1E8BEC315800F6B1B621D604351CED2EBE29A5B7C1
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 7200 (seconds)
        TLS session ticket:
        0000 - 5f 52 15 c7 eb 77 bf d2-fd 39 7a 90 ee 39 46 65   _R...w...9z..9Fe
        0010 - 15 36 a0 68 05 97 1b 64-ad 3f 6f ef dd d5 cf 80   .6.h...d.?o.....
    
        Start Time: 1632763996
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
        Max Early Data: 0
    ---
    read R BLOCK
    ---
    Post-Handshake New Session Ticket arrived:
    SSL-Session:
        Protocol  : TLSv1.3
        Cipher    : TLS_AES_256_GCM_SHA384
        Session-ID: 81211663644805CE07998F7D255386F3F6431E35D4D4ACCF83B48A4D5BABE571
        Session-ID-ctx:  
        Resumption PSK: A7424C58C4746163739FCA829D7D50F1362A859BDD823BF7AD99D3603D1F2EE4CB19190165577A0794A8216E8A8E99C2
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        TLS session ticket lifetime hint: 7200 (seconds)
        TLS session ticket:
        0000 - 95 21 52 17 c3 3f 8a eb-23 1c ce e2 cc 71 f3 12   .!R..?..#....q..
        0010 - 64 f3 fe 85 d6 90 c2 f0-25 95 0e d1 d5 05 d9 c9   d.......%.......
    
        Start Time: 1632763996
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
        Max Early Data: 0
    
    
    
    Last edited by clusterix; 3 Weeks Ago at 06:35 PM.

  4. #14
    Join Date
    Sep 2011
    Location
    Behind you!
    Beans
    1,554
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: LetsEncrypt - SSL certificate is not valid

    Code:
    ls -l /var/lib/letsencrypt/
    My results:
    Code:
    drwxr-xr-x 2 root root 4096 Oct  5  2020 backups
    drwxr-xr-x 2 root root 4096 Mar 31 18:22 http_challenges
    When doing a cert request on my system, the web service (www-data) needs access to read the "http_challenges" folder during the challenge/response...which the permissions that are set allows (755).

    Is this the same place it uses on your system and are the permissions correct?

    Beyond this, I just don't know. I've not needed to trouble-shoot certbot much except when there were permission problems or proxies involved.

    LHammonds

  5. #15
    Join Date
    Dec 2019
    Beans
    27

    Re: LetsEncrypt - SSL certificate is not valid

    Quote Originally Posted by LHammonds View Post
    Code:
    ls -l /var/lib/letsencrypt/
    My results:
    Code:
    drwxr-xr-x 2 root root 4096 Oct  5  2020 backups
    drwxr-xr-x 2 root root 4096 Mar 31 18:22 http_challenges
    When doing a cert request on my system, the web service (www-data) needs access to read the "http_challenges" folder during the challenge/response...which the permissions that are set allows (755).

    Is this the same place it uses on your system and are the permissions correct?

    Beyond this, I just don't know. I've not needed to trouble-shoot certbot much except when there were permission problems or proxies involved.

    LHammonds

    thank you!
    it just shows a backup folder
    Code:
    ls -l /var/lib/letsencrypt/
    total 4
    drwxr-xr-x 2 root root 4096 Sep 27 17:47 backups
    
    the certificates are created under /etc/letsencrypt/* but the apache2 vhost-ssl.conf is no longer created, it seems the validation process no longer works after the latest ubuntu updates
    this system worked well for about 2 years ... something has probably changed because of the DST Root CA X3 Expiration (maybe preparations for the event on sept. 30)
    https://medium.com/geekculture/will-...n-d54a018df257

    ssl part apache vhost-ssl.conf
    Code:
        SSLEngine On
        SSLCertificateFile      "/var/www/imscp/gui/data/certs/domainname.com.pem"
        Header always set Strict-Transport-Security "max-age=0; includeSubDomains"
        SuexecUserGroup vu1763 vu1763

  6. #16
    Join Date
    Dec 2019
    Beans
    27

    Re: LetsEncrypt - SSL certificate is not valid

    I have bought a standard certificate (PositiveSSL) for testing, it works without any issues ...
    so it cannot be caused due to apache config. something in openssl or root certificates (CA) prevents a successful validation w/ letsencrypt

  7. #17
    Join Date
    Dec 2019
    Beans
    27

    Re: LetsEncrypt - SSL certificate is not valid

    debug output points to CAfile
    Code:
    [Tue Sep 28 11:05:05 2021] [debug] iMSCP::Execute::execute: openssl pkey -in /tmp/mBG_0sclG3 -noout
    [Tue Sep 28 11:05:05 2021] [debug] iMSCP::Execute::execute: openssl verify -CAfile /tmp/mzaB8wQu9V -purpose sslserver /tmp/hOq4QUp2Tb
    [Tue Sep 28 11:05:05 2021] [debug] iMSCP::OpenSSL::validateCertificate: error /tmp/hOq4QUp2Tb: verification failed

  8. #18
    Join Date
    Dec 2019
    Beans
    27

    Re: LetsEncrypt - SSL certificate is not valid

    certs are created under /etc/letsencrypt/* now I have added by hand the certs into the controlpanel SSL cert section
    same error message:


    SSL certificate is not valid: C = US, O = Internet Security Research Group, CN = ISRG Root X1 error 2 at 2 depth lookup: unable to get issuer certificate


    which shows that something does not work with the letsencrypt validation procedure, a purchased positive ssl certificate works

  9. #19
    Join Date
    Dec 2019
    Beans
    27

    Re: LetsEncrypt - SSL certificate is not valid

    this one is still active and working my web browser shows as valid cert
    I have checked with openssl verify


    Ubuntu 18.04.6 LTS result:
    Code:
    # openssl verify -CAfile fullchain1.pem cert1.pem
    C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    error 2 at 1 depth lookup: unable to get issuer certificate
    error cert2.pem: verification failed

    Debian 9 & 10 result:
    Code:
    # openssl verify -CAfile fullchain1.pem cert1.pem
    cert1.pem: OK
    Last edited by clusterix; 3 Weeks Ago at 03:01 PM.

  10. #20
    Join Date
    Dec 2019
    Beans
    27

    Re: LetsEncrypt - SSL certificate is not valid

    after copying following certificate from Debian to Ubuntu it works
    /usr/lib/ssl/certs/2e5ac55d.0


    why is the cert not present in Ubuntu 18.04.6 LTS?

Page 2 of 3 FirstFirst 123 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •