Want to subscribe to topics you're interested in?
Become a Member

SSL Letsencrypt Cloudflare OCSP response not successful (unauthorized) while requesting certificate status, responder

Discussion in 'Domains, DNS, Email & SSL Certificates' started by quicksalad, Jul 29, 2022.

  1. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    3:36 AM
    I'm getting this error logs since yesterday. Any idea and tips to start is helpful. (File attached for ref.)

     

    Attached Files:

    Last edited: Jul 29, 2022
  2. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    3:36 AM
    Code:
    /var/log/cron-20220724:Jul 24 00:45:01 host CROND[59628]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
    Code:
    ------------------------------------------------------------------------------
    Version Check:
    ------------------------------------------------------------------------------
    !!!  there maybe a newer version of /usr/local/src/centminmod/addons/acmetool.sh                                                                                                                                                              available  !!!
    https://community.centminmod.com/posts/34492/
    update using centmin.sh menu option 23 submenu option 2
    
    or via command: cmupdate
    
    Always ensure Current Version is higher or equal to Latest Version
    ------------------------------------------------------------------------------
    Current acmetool.sh Version: 1.0.79
    Latest acmetool.sh Version: 1.0.82
    ------------------------------------------------------------------------------
    
    ----------------------------------------------
    nginx installed
    ----------------------------------------------
    
    /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer
    SHA1 Fingerprint=C1234dfsdfdsf1412412141
    certificate expires in -16 days on 12 Jul 2022
    
    ----------------------------------------------
    acme.sh obtained
    ----------------------------------------------
    
    /root/.acme.sh/mydomain.com/mydomain.com-acme.cer
    SHA1 Fingerprint=C85235235213512352352354A4
    [ below certifcate transparency link is only valid ~1hr after issuance ]
    https://crt.sh/?sha1=32412552352352351235123
    certificate expires in -16 days on 12 Jul 2022
     
  3. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    3:36 AM
    Code:
    [Thu Jul 28 16:26:07 UTC 2022] ===Starting cron===
    [Thu Jul 28 16:26:07 UTC 2022] Renew: 'mydomain.com'
    [Thu Jul 28 16:26:09 UTC 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Thu Jul 28 16:26:09 UTC 2022] Multi domain='DNS:mydomain.com,DNS:wwwmydomain.com'
    [Thu Jul 28 16:26:09 UTC 2022] Getting domain auth token for each domain
    [Thu Jul 28 16:26:13 UTC 2022] Getting webroot for domain='mydomain.com'
    [Thu Jul 28 16:26:13 UTC 2022] Getting webroot for domain='www.mydomain.com'
    [Thu Jul 28 16:26:13 UTC 2022] Adding txt value: yfdasfdfasdflezfasdfsdfasdfsd for domain:  _acme-challenge.mydomain.com
    [Thu Jul 28 16:26:13 UTC 2022] You didn't specify a Cloudflare api key and email yet.
    [Thu Jul 28 16:26:13 UTC 2022] You can get yours from here https://dash.cloudflare.com/profile.
    [Thu Jul 28 16:26:13 UTC 2022] Error add txt for domain:_acme-challenge.mydomain.com
    [Thu Jul 28 16:26:13 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-171322-052854.log
    [Thu Jul 28 16:26:15 UTC 2022] Error renew mydomain.com.
    [Thu Jul 28 16:26:15 UTC 2022] ===End cron===
    Code:
    CONNECTED(00000003)
    143423432324322:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 7 bytes and written 289 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        Start Time: 1659026289
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
     
    Last edited: Jul 29, 2022
  4. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    3:36 AM
    Code:
    [Thu Jul 28 16:26:14 UTC 2022] _postContentType='application/jose+json'
    [Thu Jul 28 16:26:14 UTC 2022] Http already initialized.
    [Thu Jul 28 16:26:14 UTC 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
    [Thu Jul 28 16:26:15 UTC 2022] _ret='0'
    [Thu Jul 28 16:26:15 UTC 2022] responseHeaders='HTTP/1.1 200 OK
    Server: nginx
    Date: Thu, 28 Jul 2022 16:26:15 GMT
    Content-Type: application/json
    Content-Length: 187
    Connection: keep-alive
    Boulder-Requester: 383536271
    Cache-Control: public, max-age=0, no-cache
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Link: <https://acme-v02.api.letsencrypt.org/acme/authz-v3/136753781262>;rel="up"
    Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/136753781262/AB2hFg
    Replay-Nonce: 2343XfgDbZvbW1XCKYfvqj-oms4326FcTnMvriSHpEQM3bY
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    
    '
    [Thu Jul 28 16:26:15 UTC 2022] code='200'
    [Thu Jul 28 16:26:15 UTC 2022] original='{
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/136753781262/AB2hFg",
      "token": "SuISthQkKy7OexFW_3xXZsPB3LGvdNiRNqhIlc-5rD2"
    }'
    [Thu Jul 28 16:26:15 UTC 2022] response='{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/136753781262/AB2hFg","token":"SuISthQkKy7OexFW_3xXZsPB3LGvdNiRNqhIlc-5rD2"}'
    [Thu Jul 28 16:26:15 UTC 2022] 'dns_cf,/home/nginx/domains/mydomain.com/public' does not contain 'dns'
    [Thu Jul 28 16:26:15 UTC 2022] pid
    [Thu Jul 28 16:26:15 UTC 2022] No need to restore nginx, skip.
    [Thu Jul 28 16:26:15 UTC 2022] _clearupdns
    [Thu Jul 28 16:26:15 UTC 2022] dns_entries
    [Thu Jul 28 16:26:15 UTC 2022] skip dns.
    [Thu Jul 28 16:26:15 UTC 2022] Return code: 1
    [Thu Jul 28 16:26:15 UTC 2022] Error renew mydomain.com.
    [Thu Jul 28 16:26:15 UTC 2022] _error_level='1'
    [Thu Jul 28 16:26:15 UTC 2022] _set_level='2'
    [Thu Jul 28 16:26:15 UTC 2022] The NOTIFY_HOOK is empty, just return.
    [Thu Jul 28 16:26:15 UTC 2022] [1;32m===End cron===[0m
     
  5. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:06 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    That is expected error OCSP response would only be valid for valid SSL certificates. Expired SSL certificates won't have a valid OCSP response which is the purpose of OCSP.

    However, if the issue is your Letsencrypt SSL certificate issuance failed, then from
    suggests you didn't input a valid Cloudflare API key as I assume from instructions at Letsencrypt Free SSL Certificates

    double check your persistent config file at /etc/centminmod/custom_config.inc if you set it correctly for
    Code (Text):
    CF_DNSAPI_GLOBAL='y'
    CF_Token="YOUR_CF_TOKEN"
    CF_Account_ID="YOUR_CF_ACCOUNT_ID"
    


    also looks like you haven't updated Centmin Mod lately - try running cmupdate command
    Code (Text):
    Current acmetool.sh Version: 1.0.79
    Latest acmetool.sh Version: 1.0.82
    
     
  6. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    3:36 AM
    Dear @eva2000
    I have set it up 2 months ago.
    Code:
    MARCH_TARGETNATIVE='n'
    LETSENCRYPT_DETECT='y'
    DUALCERTS='y'
    ACMEDEBUG='y'
    CF_DNSAPI_GLOBAL='y'
    CF_Token="randomchartoken"
    CF_Account_ID="randonchars"
    I run cmupdate and it says already up to date
    Code:
    [02:19][root@thehost.mydoman.com ~]# cmupdate
    No local changes to save
    Already up-to-date.
    No local changes to save
    Already up-to-date.
    Could it be the API permission?, I see no Zone.DNS (pls see screenshot)

    Does CF_Token="YOUR_CF_TOKEN" changes? How can I check if it is the correct CF_token im using?
    I cannot see my current CF_TOKEN in my CF profile (see screenshot attached)

    Thanks
     

    Attached Files:

  7. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:06 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    from Letsencrypt Free SSL Certificates

    cf-api-tokens-acme.sh-dns-00.png

    run acmetool.sh check_cfapi command it only checks token is correct but not if permissions are correct
    Code (Text):
    /usr/local/src/centminmod/addons/acmetool.sh check_cfapi
    Verifying working Cloudflare DNS API Credentials
    CF API Tokens detected
    Ok: CF API Token works
    

    Yes it's only shown at creation time, if you need to change it then roll the token and regenerate a new one

    cf-api-tokens-acme.sh-dns-roll-00.png
     
  8. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    3:36 AM
    Dear @eva2000
    The Result shows it works.
    Code:
    Verifying working Cloudflare DNS API Credentials
    CF API Tokens detected
    Ok: CF API Token works
    
    Could it be permission?
    I edited and changed it now to Zone.Zone, Zone.DNS based on your screenshot.
    No need to Roll right?
     
  9. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    3:36 AM
    Im still getting this when running
    Code:
     "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    Result:
    Code:
    [Fri Jul 29 04:06:56 UTC 2022] You didn't specify a Cloudflare api key and email yet.
    [Fri Jul 29 04:06:56 UTC 2022] You can get yours from here https://dash.cloudflare.com/profile.
    [Fri Jul 29 04:06:56 UTC 2022] Error add txt for domain:_acme-challenge.mydomain.com
    [Fri Jul 29 04:06:56 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-145423-134638.log
    [Fri Jul 29 04:06:58 UTC 2022] Error renew mydomain.com.
    [Fri Jul 29 04:06:58 UTC 2022] ===End cron===
    Do I need to add
    CF_Key and CF_Email in custom_config.inc?
     
  10. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:06 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    It won't work running acme.sh directly the very first time only via centmin.sh menu options for nginx vhost creation or via addons/acmetool.sh which wraps acme.sh client with CF DNS API support and then it adds the CF DNS API credentials into acme.sh config for future direct acme.sh runs.

    So one way is to only run acmetool.sh ressiue-only command once. Try acmetool.sh add reissue-only option for existing nginx HTTPS SSL vhosts with yourdomain.com.ssl.conf vhost config files that exist. This only does reissue of letsencrypt SSL cert without touching the nginx vhost. Ideal for use when you tried creating a Nginx HTTPS SSL default vhost site but letsencrypt SSL issuance failed the first time. When it fails, Centmin Mod usually falls back to self-signed SSL as a place holder for the yourdomain.com.ssl.conf vhost config. When you run:
    Code (Text):
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only yourdomain.com live
    

    It will only try reissuing the letsencrypt SSL certificate for the domain = yourdomain.com for live production SSL certificate without touching any of the existing nginx vhost at yourdomain.com.ssl.conf
     
  11. quicksalad

    quicksalad Member

    228
    13
    18
    May 31, 2015
    Ratings:
    +20
    Local Time:
    3:36 AM
    @eva2000 Thanks always.

    I did re-issue yesterday after some readings here. Also /etc/centminmod/acmetool-config.ini was not present in my config, I assume it is now in custom_config.inc.

    Code:
    cd /usr/local/src/centminmod/addons
    ./acmetool.sh reissue-only yourdomain.com live
    Should I run the code above everytime it expires? I think auto renew cron failed because of below error.

    Code:
    [Fri Jul 29 04:06:56 UTC 2022] You didn't specify a Cloudflare api key and email yet.
    [Fri Jul 29 04:06:56 UTC 2022] You can get yours from here https://dash.cloudflare.com/profile.
    [Fri Jul 29 04:06:56 UTC 2022] Error add txt for domain:_acme-challenge.mydomain.com
    [Fri Jul 29 04:06:56 UTC 2022] Please check log file for more details: /root/centminlogs/acmetool.sh-debug-log-145423-134638.log
    [Fri Jul 29 04:06:58 UTC 2022] Error renew mydomain.com.
    [Fri Jul 29 04:06:58 UTC 2022] ===End cron===
     
  12. eva2000

    eva2000 Administrator Staff Member

    54,647
    12,230
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,799
    Local Time:
    8:06 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    No need after the reissue command the CF DNS API credentials should be added to /root/.acme.sh/account.conf for future acme.sh runs.

    Either config file would work but I'd use custom_config.inc now as in future acmetool-config.ini is being repurposed for a new Centmin Mod Nginx vhost creation tool which has better integration with Cloudflare. Preview example at GitHub - centminmod/centminmod-config-json