Welcome to Centmin Mod Community
Become a Member

Letsencrypt Letsencrypt failed ssl renewal

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Jon Snow, Nov 12, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    39,745
    8,767
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,488
    Local Time:
    12:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Those are normal as and deprecated clients which modern ssl certs won't support so can be ignored. Modern secure ssl ciphers won't be able to support those clients anymore unfortunately. WinXP users can somewhat if they use latest Firefox browser instead of IE8.
     
  2. Jon Snow

    Jon Snow Active Member

    409
    63
    28
    Jun 30, 2017
    Ratings:
    +96
    Local Time:
    11:23 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    A competitor site loads on the browser when my site doesn't. The only difference according to the SSL checking site is that their site uses weaker ciphers. They use the same Letsencrypt certificate.
     
  3. eva2000

    eva2000 Administrator Staff Member

    39,745
    8,767
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,488
    Local Time:
    12:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Yeah that is a choice though for weaker ciphers. If you that then edit nginx ssl domain.com.ssl.conf vhost comment out existing ssl_ciphers line and add a new one for
    Code (Text):
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    

    restart nginx
     
  4. Jon Snow

    Jon Snow Active Member

    409
    63
    28
    Jun 30, 2017
    Ratings:
    +96
    Local Time:
    11:23 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    That worked. What is the downside of doing this? Weaker doesn't mean better but just want technical details >.<
     
  5. eva2000

    eva2000 Administrator Staff Member

    39,745
    8,767
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,488
    Local Time:
    12:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    Basically your site is less secure for your site i.e. leaking private encrypted data/cookies so attackers could log into your sites etc and less secure for visitors visiting your site. Though your visitors using such outdated clients/OS, are already insecure.

    ssllabs/research

    i.e. RC4 ciphers It is official: RC4 is broken. CVE-2015-2808 | Qualys Community

    Deprecating the RC4 Cipher

    RC4 NOMORE

     
    • Like Like x 1
    • Informative Informative x 1
  6. pamamolf

    pamamolf Premium Member Premium Member

    3,264
    307
    83
    May 31, 2014
    Ratings:
    +566
    Local Time:
    5:23 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Wondering for how long i should wait after many pending validations?

    I got the domain validated but the www was not and then i add the forgotten Dns entries but now i can see when i run the tool that i am blocked due to rate limit and many Pending statuses....
     
  7. eva2000

    eva2000 Administrator Staff Member

    39,745
    8,767
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,488
    Local Time:
    12:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    You can see current rate limit policy at Rate Limits - Let's Encrypt - Free SSL/TLS Certificates
     
  8. Jon Snow

    Jon Snow Active Member

    409
    63
    28
    Jun 30, 2017
    Ratings:
    +96
    Local Time:
    11:23 AM
    Nginx 1.13.9
    MariaDB 10.1.31
    @eva2000 Any idea about this this?

    Code (Text):
    domain.com:Verify error:Fetching https://domain.com/.well-known/acme-challenge/random-numbers-go-here: Timeout during connect (likely firewall problem)
     
  9. eva2000

    eva2000 Administrator Staff Member

    39,745
    8,767
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +13,488
    Local Time:
    12:23 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    not same issue as https://community.centminmod.com/threads/letsencrypt-failed-ssl-renewal.13271/page-2#post-56419 ?

    First try running your intended SSL certificate domain through the letsdebug.net online testing tool to check for potential errors with HTTP-01 validation.

    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    

    Code (Text):
    echo | openssl s_client -connect yourdomain.com:443
    

    Without the answers to above questions and logs, there is nothing to help troubleshoot.

    SSLLabs Test



    Also run your HTTPS domain site through SSLLabs tester at SSL Server Test (Powered by Qualys SSL Labs) if it says untrusted SSL cert and prompts to continue the test, continue the test.
     
  10. Jon Snow

    Jon Snow Active Member

    409
    63
    28
    Jun 30, 2017
    Ratings:
    +96
    Local Time:
    11:23 AM
    Nginx 1.13.9
    MariaDB 10.1.31
..