Letsencrypt not renewing

raggoz · August 10, 2020, 10:39pm

Good afternoon,

Running version 10.3.1.10 on Win Server 2k19 I´m having problems with letsencrypt, it seems that it´s not renewing the certificate, I´ve been using it for almost a year now without a problem.

The error I´m getting is: (This happens in a loop)
2020-08-10 09:14:55 +0000 08 MARS JOBLOG:700000C0: LetsE: Renewal for mail(dot)com successfully added
2020-08-10 09:14:55 +0000 08 MARS JOBLOG:700000C0: LetsE: Found 1 certificate(s) to renew
2020-08-10 09:15:10 +0000 08 MARS JOBLOG:700000C1: LetsE: Acme job executing
2020-08-10 09:15:10 +0000 08 MARS JOBLOG:700000C1: LetsE: AcmeInitState for mail(dot)com executing
2020-08-10 09:15:12 +0000 02 MARS JOBLOG:700000C1: HTTP-Client: Error performing request in connection to https
://acme-v02.api.letsencrypt.org:443/directory:SSL peer certificate or SSH remote key was not OK
2020-08-10 09:15:12 +0000 02 MARS JOBLOG:700000C1: LetsE: connection error on GET when populating acme link directory
2020-08-10 09:15:12 +0000 02 MARS JOBLOG:700000C1: LetsE: Job step action => Connection-related error, re-attempting after 15 seconds
2020-08-10 09:15:27 +0000 08 MARS JOBLOG:700000C2: LetsE: Acme job executing

Now when I try running it manually I receive this:
2020-08-10 22:13:18 +0000 08 MARS JOBLOG:7000000C: LetsE: Acme job executing
2020-08-10 22:13:18 +0000 08 MARS JOBLOG:7000000C: LetsE: AcmeInitState for mail(dot).com executing
2020-08-10 22:13:18 +0000 02 MARS WEBADMIN:0000001A: LetsE: Job is already queued
2020-08-10 22:13:18 +0000 02 MARS WEBADMIN:0000001A: Let’s Encrypt: Similar job is already queued
2020-08-10 22:13:18 +0000 02 MARS JOBLOG:7000000C: HTTP-Client: Error performing request in connection to https ://acme-v02.api.letsencrypt.org:443/directory:SSL peer certificate or SSH remote key was not OK
2020-08-10 22:13:18 +0000 02 MARS JOBLOG:7000000C: LetsE: connection error on GET when populating acme link directory
2020-08-10 22:13:18 +0000 02 MARS JOBLOG:7000000C: LetsE: Job step action => Connection-related error, re-attempting after 120 seconds
2020-08-10 22:14:13 +0000 08 MARS WEBADMIN:0000001A: SupportInfo: connected to endpoint https ://www.axigen.com:443
2020-08-10 22:14:13 +0000 02 MARS WEBADMIN:0000001A: HTTP-Client: Error setting proxy in connection to https ://www.axigen.com:443:An unknown option was passed in to libcurl
2020-08-10 22:14:13 +0000 08 MARS WEBADMIN:0000001A: SupportInfo: POST response code for endpoint https ://www.axigen.com:443 is 0
2020-08-10 22:14:13 +0000 02 MARS WEBADMIN:0000001A: SupportInfo: response code 200 expected, 0 was provided instead for endpoint https ://www.axigen.com:443
2020-08-10 22:15:18 +0000 08 MARS JOBLOG:7000000D: LetsE: Acme job executing
2020-08-10 22:15:18 +0000 08 MARS JOBLOG:7000000D: LetsE: AcmeInitState for mail(dot).com executing
2020-08-10 22:15:18 +0000 02 MARS JOBLOG:7000000D: HTTP-Client: Error performing request in connection to https ://acme-v02.api.letsencrypt.org:443/directory:SSL peer certificate or SSH remote key was not OK
2020-08-10 22:15:18 +0000 02 MARS JOBLOG:7000000D: LetsE: connection error on GET when populating acme link directory
2020-08-10 22:15:18 +0000 02 MARS JOBLOG:7000000D: LetsE: Job step action => Connection-related error, re-attempting after 240 seconds
2020-08-10 22:16:56 +0000 02 MARS WEBADMIN:0000001A: Unable to parse intermediate certificate from http ://apps.identrust.com/roots/dstrootcax3.p7c
2020-08-10 22:19:18 +0000 08 MARS JOBLOG:7000000E: LetsE: Acme job executing
2020-08-10 22:19:18 +0000 08 MARS JOBLOG:7000000E: LetsE: AcmeInitState for mail(dot)com executing
2020-08-10 22:19:18 +0000 02 MARS JOBLOG:7000000E: HTTP-Client: Error performing request in connection to https ://acme-v02.api.letsencrypt.org:443/directory:SSL peer certificate or SSH remote key was not OK
2020-08-10 22:19:18 +0000 02 MARS JOBLOG:7000000E: LetsE: connection error on GET when populating acme link directory
2020-08-10 22:19:18 +0000 02 MARS JOBLOG:7000000E: LetsE: Job step action => Cannot complete current work item, abandoning
2020-08-10 22:19:33 +0000 08 MARS JOBLOG:7000000F: LetsE: Acme job executing

Any thoughts?

Regards, Ragnar

raggoz · August 11, 2020, 2:12pm

Even when I try creating a self-signed I receive this (No results found) under Country

So I can´t finish creating a new cert.

Regards, Ragnar

Jeroen · August 12, 2020, 1:50pm

Have you tried reaching https://acme-v02.api.letsencrypt.org:443 from your host?

raggoz · August 12, 2020, 3:30pm

Hi Jeroen,

Tried these (both on my personal computer vs. the host). Btw both computers are on a different network.

curl https://acme-v02.api.letsencrypt.org:433
curl: (35) schannel: failed to receive handshake, SSL/TLS connection failed

curl https://acme-v02.api.letsencrypt.org

... (more html stuff)

Regards, Ragnar

Jeroen · August 13, 2020, 10:44am

Your first curl attempt is bound to fail, as it should be port 443 and not 433.
The second should work from your Windows Server 2019 host (Unless you have no desktop environment…)

It is (of course) crucial to verify, if your server can connect to the letsencrypt ACME site.
One thing that springs to mind: Any proxies or firewalls between the server and the internet, especially those that will insert/replace the expected SSL certificate with their own?

Form Windows you should at least be able to telnet or curl to the host on port 443.
With Curl you mioght be able to see if there’s somenone interfering

raggoz · August 13, 2020, 11:05am

Sorry about my typo earlier.
On my Windows Desktop and Server 2019 Host
curl https://acme-v02.api.letsencrypt.org:443

Boulder: The Let's Encrypt CA

Yes the server has no problems connecting the letsencrypt ACME site, getting:

This is an ACME Certificate Authority running Boulder.

When accessing the website.

No proxies or firewalls, and telnet on port 443 works
telnet acme-v02.api.letsencrypt.org 443

Regards, Ragnar

Jeroen · August 13, 2020, 11:43am

Can you ping acme-v02.api.letsencrypt.org?
Does it resolve to a cloudflare-address?
What certificate does it return, when you connect to the address with openssl:

openssl s_client -connect acme-v02.api.letsencrypt.org:443

It should look something like this:

openssl s_client -connect acme-v02.api.letsencrypt.org:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1
---
Certificate chain
 0 s:/CN=acme-v01.api.letsencrypt.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...

-----END CERTIFICATE-----
subject=/CN=acme-v01.api.letsencrypt.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3437 bytes and written 302 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 1C08D111AD3827C49B705547F0586F416CB2ECF4C325CC85807693DBAB1704F8
    Session-ID-ctx: 
    Master-Key: 02BC397D2DAEB1E898099C754811C6E616A1C6C527F7410985C429F8674627D7E5E3945FDD371D2AC1E968381459820E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1597318667
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
q
HTTP/1.1 400 Bad Request
Server: nginx
Date: Thu, 13 Aug 2020 11:37:55 GMT
Content-Type: text/html
Content-Length: 150
Connection: close

… removed certificate content to keep it readable…

raggoz · August 13, 2020, 11:58am

Hi again,

Here is my ping:
ping acme-v02.api.letsencrypt.org

Pinging ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com [172.65.32.248] with 32 bytes of data:
Reply from 172.65.32.248: bytes=32 time=36ms TTL=60
Reply from 172.65.32.248: bytes=32 time=36ms TTL=60
Reply from 172.65.32.248: bytes=32 time=36ms TTL=60
Reply from 172.65.32.248: bytes=32 time=36ms TTL=60

Here is the result of openssl command:
C:\Program Files\OpenSSL-Win64\bin>openssl s_client -connect acme-v02.api.letsencrypt.org:443
CONNECTED(00000184)
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1

Certificate chain
0 s:CN = acme-v01.api.letsencrypt.org
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
1 s:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3

-----END CERTIFICATE-----
subject=CN = acme-v01.api.letsencrypt.org

issuer=C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3

No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3440 bytes and written 456 bytes
Verification error: unable to get local issuer certificate

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 7A5CBE70902437D82D1C6913B5C267016D78A29B906508D00B2207CFEBBDC752
Session-ID-ctx:
Master-Key: 9706223476C86C56BC831737B06011DD885335830919C6195AB4FF563B9EB3718AA42B6FD667A67921166C022AA4DF61
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1597319781
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
Extended master secret: no

closed

Jeroen · August 13, 2020, 12:16pm

You might want to take a look here:

In fact, the issue was not with the library, but rather a setting of PHP/cURL/Windows environment.
cURL by default is configured to “not trust any root certificate” . Therefore “the local issuer certificate” could not be found.

raggoz · August 13, 2020, 7:30pm

Hi Jeroen,

Thanks for leading me to this path.
Here is what I did:

Downloaded the cacert.pem from https://curl.haxx.se/docs/caextract.html
Copied to cacert.pem to C:\Program Files\Axigen Mail Server
Renamed the file ‘cacert_default.pem’ to ‘cacert_default.pem.old’
Renamed ‘cacert.pem’ to ‘cacert_default.pem’
Submitted a renewal for the certificate under SSL Certificates

What I also tried and didn´t work

Import the certificate to personal / computer store (Trusted, Intermediate,Personal)
Copied the pem file to c:\windows\system32 (+ renamed to .crt and more)
And some other stuff…

Thanks a lot.

Regards, Ragnar

Jeroen · August 14, 2020, 6:43am

That’s bad!
I have no Windows Servers anymore to test this, so all I can advise now is either move the whole thing to Linux or open up a ticket with Axigen - if you have support for it.

raggoz · August 16, 2020, 10:31am

Hi again,

I can see that there was one sentence missing, It´s working with the above steps from 1-5

Ragnar

Jeroen · September 3, 2020, 2:30pm

Hey, excellent news!
Would you mind, marking that post as solution, so other people can find it?

Letsencrypt not renewing

This is an ACME Certificate Authority running Boulder.

No client certificate CA names sent Peer signing digest: SHA512 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3440 bytes and written 456 bytes Verification error: unable to get local issuer certificate

No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3440 bytes and written 456 bytes
Verification error: unable to get local issuer certificate