Want more timely Centmin Mod News Updates?
Become a Member

Letsencrypt SSL Letsencrypt downtime ?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by eva2000, May 20, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    53,808
    12,159
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,710
    Local Time:
    3:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Anyone got hit by Letsencrypt downtime and not able to renew or create new ssl certificates ?

     
  2. eva2000

    eva2000 Administrator Staff Member

    53,808
    12,159
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,710
    Local Time:
    3:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. eva2000

    eva2000 Administrator Staff Member

    53,808
    12,159
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,710
    Local Time:
    3:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    yup can confirm letsencrypt is still down, can't create or issue new letsencrypt ssl certs in Centmin Mod 123.09beta01.

    Tried via nv command with LETSENCRYPT_DETECT='y' set in persistent config file /etc/centminmod/custom_config.inc as per https://centminmod.com/acmetool.

    nv command like centmin mod nginx vhost creation with enabled -s flags for le, led, lelive and lelived for letsencrypt. The nv command along with centmin.sh menu option 2 and 22 are 3 ways you can create Nginx vhosts sites in Centmin Mod 123.09beta01+ and higher as outlined at here.
    Code (Text):
    nv
    
    Usage: /usr/bin/nv [-d yourdomain.com] [-s y|n|yd|le|led|lelive|lelived] [-u ftpusername]
    
      -d  yourdomain.com or subdomain.yourdomain.com
      -s  ssl self-signed create = y or n or https only vhost = yd
      -s  le - letsencrypt test cert or led test cert with https default
      -s  lelive - letsencrypt live cert or lelived live cert with https default
      -u  your FTP username
    
      example:
    
      /usr/bin/nv -d yourdomain.com -s y -u ftpusername
      /usr/bin/nv -d yourdomain.com -s n -u ftpusername
      /usr/bin/nv -d yourdomain.com -s yd -u ftpusername
      /usr/bin/nv -d yourdomain.com -s le -u ftpusername
      /usr/bin/nv -d yourdomain.com -s led -u ftpusername
      /usr/bin/nv -d yourdomain.com -s lelive -u ftpusername
      /usr/bin/nv -d yourdomain.com -s lelived -u ftpusername
    

    Create acme.domain.com with https default via letsencrypt -s lelived flag with pure-ftpd username = FTPUSERNAME
    Code (Text):
    nv -d acme.domain.com -s lelived -u FTPUSERNAME
    

    fails as letsencrypt server is down
    Code (Text):
    -----------------------------------------------------------
    issue & install letsencrypt ssl certificate for acme.domain.com
    -----------------------------------------------------------
    testcert value = lived
    /root/.acme.sh/acme.sh --issue -d acme.domain.com --days 60 -w /home/nginx/domains/acme.domain.com/public -k 2048 --useragent centminmod-centos7-acmesh-webroot --log /root/centminlogs/acmetool.sh-debug-log-190517-175405.log --log-level 2
    [Fri May 19 17:54:15 UTC 2017] Registering account
    [Fri May 19 17:55:42 UTC 2017] Register account Error: <HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>An error occurred while processing your request.<p>Reference&#32;&#35;97&#46;9cef54b8&#46;1495216541&#46;389d9db9</BODY></HTML>
    [Fri May 19 17:55:42 UTC 2017] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-190517-175405.log
    LECHECK = 1
    
    log files saved at /root/centminlogs
    -rw-r--r--. 1 root root 5.6K May 19 17:55 acmetool.sh-debug-log-190517-175405.log
    -rw-r--r--. 1 root root 3.6K May 19 17:55 acmesh-issue_190517-175405.log
    

    the saved debug log at /root/centminlogs/acmetool.sh-debug-log-190517-175405.log reports 504 gateway timeout = letsencrypt server down
    Code (Text):
    [Fri May 19 17:54:15 UTC 2017] Registering account
    [Fri May 19 17:54:15 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
    [Fri May 19 17:54:15 UTC 2017] payload='{"resource": "new-reg", "agreement": ""}'
    [Fri May 19 17:54:15 UTC 2017] Use cached jwk for file: /root/.acme.sh/ca/acme-v01.api.letsencrypt.org/account.key
    [Fri May 19 17:54:15 UTC 2017] Get nonce.
    [Fri May 19 17:54:15 UTC 2017] GET
    [Fri May 19 17:54:15 UTC 2017] url='https://acme-v01.api.letsencrypt.org/directory'
    [Fri May 19 17:54:15 UTC 2017] timeout
    [Fri May 19 17:54:15 UTC 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header '
    [Fri May 19 17:55:15 UTC 2017] ret='0'
    [Fri May 19 17:55:15 UTC 2017] _headers='HTTP/1.1 504 Gateway Time-out
    Server: AkamaiGHost
    Mime-Version: 1.0
    Content-Type: text/html
    Content-Length: 176
    Expires: Fri, 19 May 2017 17:55:15 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Fri, 19 May 2017 17:55:15 GMT
    Connection: keep-alive
    


    Looks like for Centmin Mod Letsencrypt integration via addons/acmetool.sh, will need to also look at adding a primed OCSP stapling cache to Nginx configuration for issues which affect existing Letsencrypt SSL enabled HTTPS sites when OCSP stapling response fails due to Letsencrypt server downtime.
     
    Last edited: May 20, 2017
  4. eva2000

    eva2000 Administrator Staff Member

    53,808
    12,159
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,710
    Local Time:
    3:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    OCSP is down too http://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/591ed0da457ea42d38001796
     
  5. eva2000

    eva2000 Administrator Staff Member

    53,808
    12,159
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,710
    Local Time:
    3:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Looks like they're finally back https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/591e962c4f9ef22239001819

    OCSP and issuance outage, 2017-05-19

    test Centmin Mod issuing and create nginx vhost with HTTP/2 HTTPS with Letsencrypt SSL cert
    Code (Text):
    nv -d acme.domain.com -s lelived -u FTPUSERNAME
    

    Code (Text):
    -----------------------------------------------------------
    install cert
    -----------------------------------------------------------
    /root/.acme.sh/acme.sh --installcert -d acme.domain.com --certpath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.key --capath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-fullchain-acme.key
    [Fri May 19 23:51:58 UTC 2017] Installing cert to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer
    [Fri May 19 23:51:58 UTC 2017] Installing CA to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer
    [Fri May 19 23:51:58 UTC 2017] Installing key to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.key
    [Fri May 19 23:51:58 UTC 2017] Installing full chain to:/usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-fullchain-acme.key
    [Fri May 19 23:51:58 UTC 2017] Run reload cmd: /usr/bin/ngxreload
    Reloading nginx configuration (via systemctl):  [  OK  ]
    [Fri May 19 23:51:58 UTC 2017] Reload success
    
    letsencrypt ssl certificate setup completed
    ssl certs located at: /usr/local/nginx/conf/ssl/acme.domain.com
    

    Code (Text):
    ./acmetool.sh checkdates
    
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/acme.domain.com/acme.domain.com-acme.cer
    SHA1 Fingerprint=D618128719F308ADDAAB82E0EB18CEF17277****
    certificate expires in 88 days on 17 Aug 2017
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/acme.domain.com/acme.domain.com.cer
    SHA1 Fingerprint=D618128719F308ADDAAB82E0EB18CEF17277****
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=D618128719F308ADDAAB82E0EB18CEF17277****
    certificate expires in 88 days on 17 Aug 2017
    
     
    Last edited: May 20, 2017
  6. eva2000

    eva2000 Administrator Staff Member

    53,808
    12,159
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,710
    Local Time:
    3:17 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    More info for OCSP related downtime Josh from Let's Encrypt here. First, my apologies for the trouble this has cause... | Hacker News