LetsEncrypt - SSL certificate is not valid

  • Of all the fixes, this is the only one that worked for me on Ubuntu 18.04 with php7.1 (i-MSCP 1.5.3 Build: 2018120800).

  • kess Thank you for your work!

    The certificates are created correctly, but the apache vhost ssl.conf files are no longer created automatically ...

    They all are created correctly for me... on all of my servers


    The only issue is that sometimes you need to revoke and then recreate the certificate in order to work correctly.

  • Hi Kess,


    thnx for your "snapd" solution. It works for several servers running with


    Distributor ID: Debian

    Description: Debian GNU/Linux 9.13 (stretch)

    Release: 9.13

    Codename: stretch


    i-MSCP 1.5.3

    Build: 2018120800

    Codename: Ennio Morricone


    and finally the renewals works too. :thumbsup:


    For the results have a look to

    https://www.ssllabs.com/ssltes…tewerk.net&hideResults=on

    // Rating A+


    https://www.ssllabs.com/ssltes…tewerk.net&hideResults=on

    // Rating B


    Have a nice day

    HanjoLIx

    Do it today, tomorrow it may be taxed or illegal...

    Edited 2 times, last by bytewerk.net ().

  • They all are created correctly for me... on all of my servers


    The only issue is that sometimes you need to revoke and then recreate the certificate in order to work correctly.


    works perfectly!

    I had to clean up some old DST Root CA X3 stuff and had to use "sudo" for the snap install ...

    Many thanks!

    Edited once, last by fulltilt ().

  • it seems we need to use the vege.net fix (OpenSSL.pm line 134) when running i-mscp re-configuration (installer) task ...

    the panel & customer certs are marked as invalid after a i-mscp re-configuration

    Code
    1. [DEBUG] iMSCP::OpenSSL::validateCertificate: error /etc/imscp/imscp_services.pem: verification failed
    2. [DEBUG] iMSCP::LockFile::release: Releasing exclusive lock on /var/lock/imscp.lock
    3. [FATAL] Missing or bad entry found in configuration file.
    4. [ERROR] iMSCP::Dialog::_execute: Failed dialog:
  • re-configuration tasks:

    with a new system it seems to work if all certs have been created with the snap certbot kess fix ...

    However, existing LE certs with the old chain are marked as invalid and the apache ssl configs are deleted.

    To avoid the problem you would have to replace all old chain1.pem and fullchain1.pem with the new one:


    does anyone have an idea how to repair the whole thing for all chains under "/etc/letsencrypt/archive/*/" at once?


    maybe a bash script which processes all the subfolders in a loop ...

    Edited once, last by fulltilt ().

  • Hello,
    Below I will present a workaround for issues with Let's Encrypt.


    ATTENTION !!
    The workaround below is only a workaround and is not a 100% fix to the issue created by the certificate publisher Let's Encrypt !! You use it at your own risk.

    The possible consequences of applying this patch may cause Apache2 to stop and crash !!


    Edit File: /var/www/imscp/engine/PerlLib/Modules/SSLcertificate.pm


    Before: (currently)

    Code
    1. 155: # Check certificate chain
    2. 156: $rs = $openSSL->validateCertificateChain();
    3. 157:
    4. 158: # Create certificate chain (private key, certificate and CA bundle)
    5. 159: $rs ||= $openSSL->createCertificateChain();

    After: (FIX)

    Code
    1. 155: # Check certificate chain
    2. 156: # $rs = $openSSL->validateCertificateChain();
    3. 157:
    4. 158: # Create certificate chain (private key, certificate and CA bundle)
    5. 159: # $rs ||= $openSSL->createCertificateChain();
    6. 160: $openSSL->createCertificateChain();

    ATTENTION !!


    Remember this is just a workaround !!
    The above fix also applies to native certificate handling in the i-MSCP panel.


    ================


    EDIT: 03.11.2021


    ATTENTION !!


    Please select and do just one fix for this problem !!
    If you chose the first workaround, do not apply the fix below unless you go back the changes from the previous step.


    or a safer form of amendment:


    Edit File: /var/www/imscp/gui/plugins/LetsEncrypt/backend/LetsEncrypt.pm


    Before: (currently)

    Code
    1. 616: $self->{'_dbh'}->do(
    2. 617: "INSERT INTO ssl_certs (domain_id, domain_type, private_key, certificate, ca_bundle, status) VALUES (?, ?, ?, ?, ?, 'toadd')",
    3. 618: undef, $certData->{'domain_id'}, $certData->{'domain_type'}, $certData->{'files'}->{'privkey'}, $certData->{'files'}->{'cert'},
    4. 619: $certData->{'files'}->{'chain'}
    5. 620: );

    After: (FIX)

    Code
    1. 616: $self->{'_dbh'}->do(
    2. 617: "INSERT INTO ssl_certs (domain_id, domain_type, private_key, certificate, status) VALUES (?, ?, ?, ?, 'toadd')",
    3. 618: undef, $certData->{'domain_id'}, $certData->{'domain_type'}, $certData->{'files'}->{'privkey'}, $certData->{'files'}->{'cert'}
    4. 619: );


    and


    Before: (currently)

    Code
    1. 623: $self->{'_dbh'}->do(
    2. 624: "UPDATE ssl_certs SET private_key = ?, certificate = ?, ca_bundle = ?, status = 'tochange' WHERE cert_id = ?",
    3. 625: undef, $certData->{'files'}->{'privkey'}, $certData->{'files'}->{'cert'}, $certData->{'files'}->{'chain'}, $certId
    4. 626: );

    After: (FIX)

    Code
    1. 623: $self->{'_dbh'}->do(
    2. 624: "UPDATE ssl_certs SET private_key = ?, certificate = ?, status = 'tochange' WHERE cert_id = ?",
    3. 625: undef, $certData->{'files'}->{'privkey'}, $certData->{'files'}->{'cert'}, $certId
    4. 626: );


    Then you need to revoke damaged Let's Encrypt certificate installations for domains and re-create the vhost without using the CA certificate chain which are verified before installation.


    The problem is that Let's Encrypt issues an intermediate "ISRG Root X1" certificate signed by the expired "DST Root CA X3" when signing the certificate instead of using the new "ISRG Root X1" certificate of the same type as the old "DST Root CA X3" certificate, ie self-signed.



    Both of my patches were checked and approved by me before I posted them here.
    My system is: Debian Stretch 9.13

    Edited once, last by dino_5: new option to workaround/fix the problem, description added below the previous post ().

  • None of the fixes mentioned worked for me. I'm on Ubuntu 18.04.

    I revoked all my LE SSL key from the panel, and generated them from the commandline certbot. (It generates the ssl, and the vhost). Ok the panel don't show me that the subdomain is ssl, but it working without any error.

    It's a temporally fix for me, because it was annoying that all my ssl vhost was broken, and i know its not an ideal workaround.

  • I am a little overwhelmed by the amount of different solutions here. Are there special solutions for different operating systems?
    Could anybody sum up which solutions are the most effective and lasting ones and how to step by step get it done for someone who doesn't work on servers regularly?

    Thank you!

  • I am a little overwhelmed by the amount of different solutions here. Are there special solutions for different operating systems?
    Could anybody sum up which solutions are the most effective and lasting ones and how to step by step get it done for someone who doesn't work on servers regularly?

    Thank you!


    Here is how I resolved it and I think it might help if your issue was with running


    Code
    1. openssl verify -CAfile chain1.pem cert1.pem


    It's returning


    Code
    1. C=US, O=Internet Security Research Group, CN=ISRG Root X1
    2. error 2 at 2 depth lookup: unable to get issuer certificate
    3. error cert1.pem: verification failed


    Then your CA file is missing some certificates and you can download all needed certs using following one combined command that will generate combined_chain1.pem

    Code
    1. wget -O isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem && wget -O isrg-root-x1-cross-signed.pem https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem && wget -O lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem && wget -O lets-encrypt-r3-cross-signed.pem https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem && cat isrgrootx1.pem isrg-root-x1-cross-signed.pem lets-encrypt-r3.pem lets-encrypt-r3-cross-signed.pem > combined_chain1.pem


    With combined_chain1.pem run

    Code
    1. openssl verify -CAfile combined_chain1.pem cert1.pem


    and it should return


    Code
    1. cert1.pem: OK


    With thanks.

    Zakaria.