Posts by fulltilt

fulltilt · Sep 28th 2021

great, that worked!

do you think it will continue to work after Sept 30th because of Let’sEncrypt DST Root CA X3 Expiration?

https://medium.com/geekculture…3-expiration-d54a018df257

Quote from vege.net

copy /usr/lib/ssl/certs/2e5ac55d.0 from the debain to ubuntu

Code

-----BEGIN CERTIFICATE-----

MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/

MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT

DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow

PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD

Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O

rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq

OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b

xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw

7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD

aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV

HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG

SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69

ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr

AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz

R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5

JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo

Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ

-----END CERTIFICATE-----

Display More

fulltilt · Sep 28th 2021

this one is still active and working - web browser shows as a valid cert

I have checked with:

Ubuntu 18.04.6 LTS result:

Code

cd /etc/letsencrypt/archive/domain.tld
openssl verify -CAfile fullchain1.pem cert1.pem
openssl verify -CAfile fullchain2.pem cert2.pem
# output
C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
error 2 at 1 depth lookup: unable to get issuer certificate
error cert2.pem: verification failed

Debian 10 result:

Code

openssl verify -CAfile fullchain1.pem cert1.pem
cert1.pem: OK

fulltilt · Sep 28th 2021

logged in debug mode

Code

[Tue Sep 28 11:05:05 2021] [debug] iMSCP::Execute::execute: openssl pkey -in /tmp/mBG_0sclG3 -noout
[Tue Sep 28 11:05:05 2021] [debug] iMSCP::Execute::execute: openssl verify -CAfile /tmp/mzaB8wQu9V -purpose sslserver /tmp/hOq4QUp2Tb
[Tue Sep 28 11:05:05 2021] [debug] iMSCP::OpenSSL::validateCertificate: error /tmp/hOq4QUp2Tb: verification failed
[Tue Sep 28 11:05:00 2021] [debug] Modules::Plugin::_executePluginAction: Executing run( ) action on Plugin::LetsEncrypt
[Tue Sep 28 11:05:00 2021] [debug] iMSCP::Execute::execute: /bin/systemctl is-active apache2.service
[Tue Sep 28 11:05:00 2021] [debug] iMSCP::Provider::Service::Abstract::_exec: active
[Tue Sep 28 11:05:00 2021] [debug] (eval): Executing 'toadd' tasks for the 'mydomain.tld' SSL certificate
[Tue Sep 28 11:05:00 2021] [debug] Plugin::LetsEncrypt::_issueCertificate: Required action: issue
[Tue Sep 28 11:05:00 2021] [debug] Plugin::LetsEncrypt::_deleteLineages: Deleting any SSL certificate
lineage matching the mydomain.tld domain name [Tue Sep 28 11:05:00 2021] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot
certonly --cert-name mydomain.tld --preferred-challenges http-01 --email info@mydomain.tld --agree-tos --user-agent-comment i-MSCP-LetsEncrypt/3.6.0 --quiet --non-interactive --work-dir /var/lib/letsencrypt --logs-dir /var/log/letsencrypt --max-log-backups 100 --webroot --webroot-path /var/www/imscp/gui/plugins/LetsEncrypt/acme --break-my-certs --domains mydomain.tld,www.mydomain.tld

Display More

fulltilt · Sep 28th 2021

Quote from theqkash

I don't know it it will work or not, but maybe mentioning Nuxwin here will make it fixed faster.

For me it's not working as well, changing LE source to development is not fixing the issue.

... but why it works on debian and no longer w/ ubuntu?

fulltilt · Sep 28th 2021

certs are created under /etc/letsencrypt/* now I have added by hand the certs into the controlpanel SSL cert section

same error message:

SSL certificate is not valid: C = US, O = Internet Security Research Group, CN = ISRG Root X1 error 2 at 2 depth lookup: unable to get issuer certificate

which shows that something does not work with the letsencrypt validation procedure, a purchased positive ssl certificate works

fulltilt · Sep 28th 2021

debug output

Code

[Tue Sep 28 11:05:05 2021] [debug] iMSCP::Execute::execute: openssl pkey -in /tmp/mBG_0sclG3 -noout
[Tue Sep 28 11:05:05 2021] [debug] iMSCP::Execute::execute: openssl verify -CAfile /tmp/mzaB8wQu9V -purpose sslserver /tmp/hOq4QUp2Tb
[Tue Sep 28 11:05:05 2021] [debug] iMSCP::OpenSSL::validateCertificate: error /tmp/hOq4QUp2Tb: verification failed
[Tue Sep 28 11:05:00 2021] [debug] Modules::Plugin::_executePluginAction: Executing run( ) action on Plugin::LetsEncrypt
[Tue Sep 28 11:05:00 2021] [debug] iMSCP::Execute::execute: /bin/systemctl is-active apache2.service
[Tue Sep 28 11:05:00 2021] [debug] iMSCP::Provider::Service::Abstract::_exec: active
[Tue Sep 28 11:05:00 2021] [debug] (eval): Executing 'toadd' tasks for the 'mydomain.tld' SSL certificate
[Tue Sep 28 11:05:00 2021] [debug] Plugin::LetsEncrypt::_issueCertificate: Required action: issue
[Tue Sep 28 11:05:00 2021] [debug] Plugin::LetsEncrypt::_deleteLineages: Deleting any SSL certificate
lineage matching the mydomain.tld domain name [Tue Sep 28 11:05:00 2021] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot
certonly --cert-name mydomain.tld --preferred-challenges http-01 --email info@mydomain.tld --agree-tos --user-agent-comment i-MSCP-LetsEncrypt/3.6.0 --quiet --non-interactive --work-dir /var/lib/letsencrypt --logs-dir /var/log/letsencrypt --max-log-backups 100 --webroot --webroot-path /var/www/imscp/gui/plugins/LetsEncrypt/acme --break-my-certs --domains mydomain.tld,www.mydomain.tld

Display More

fulltilt · Sep 27th 2021

with Debian there is no issue, so I guess something w/ Ubuntu has changed CAcert or some other ssl stuff

fulltilt · Sep 27th 2021

but here only with Ubuntu 18, it still works with debian 9 and debian 10

fulltilt · Sep 27th 2021

it seems the user apache domain_ssl.conf is not created after a create or renew request ...

fulltilt · Sep 27th 2021

- IMSCP: 1.5.3

- Distribution: Ubuntu 18.04.6 LTS

- Proftpd

- PHP FPM

- MariaDB 10.1

- Dovecot

- Roundcube

- Web2FTP

- Plugins:

PMA Captcha, RoundCubePlugins, SpamAssassin , LetsEncrypt, PHPswitcher, ClamAV

### EDIT ###

temporary solutions:

LetsEncrypt - SSL certificate is not valid

###########

since this morning I have found 5 domain names with following error message (LetsEncrypt certs)

Code

SSL certificate is not valid: C = US, O = Internet Security Research Group, CN = ISRG Root X1 error 2 at 2 depth lookup: unable to get issuer certificate

does anyone have an idea how it can be solved?