Running version 10.3.1.10 on Win Server 2k19 I´m having problems with letsencrypt, it seems that it´s not renewing the certificate, I´ve been using it for almost a year now without a problem.
The error I´m getting is: (This happens in a loop)
2020-08-10 09:14:55 +0000 08 MARS JOBLOG:700000C0: LetsE: Renewal for mail(dot)com successfully added
2020-08-10 09:14:55 +0000 08 MARS JOBLOG:700000C0: LetsE: Found 1 certificate(s) to renew
2020-08-10 09:15:10 +0000 08 MARS JOBLOG:700000C1: LetsE: Acme job executing
2020-08-10 09:15:10 +0000 08 MARS JOBLOG:700000C1: LetsE: AcmeInitState for mail(dot)com executing
2020-08-10 09:15:12 +0000 02 MARS JOBLOG:700000C1: HTTP-Client: Error performing request in connection to https
://acme-v02.api.letsencrypt.org:443/directory:SSL peer certificate or SSH remote key was not OK
2020-08-10 09:15:12 +0000 02 MARS JOBLOG:700000C1: LetsE: connection error on GET when populating acme link directory
2020-08-10 09:15:12 +0000 02 MARS JOBLOG:700000C1: LetsE: Job step action => Connection-related error, re-attempting after 15 seconds
2020-08-10 09:15:27 +0000 08 MARS JOBLOG:700000C2: LetsE: Acme job executing
Now when I try running it manually I receive this:
2020-08-10 22:13:18 +0000 08 MARS JOBLOG:7000000C: LetsE: Acme job executing
2020-08-10 22:13:18 +0000 08 MARS JOBLOG:7000000C: LetsE: AcmeInitState for mail(dot).com executing
2020-08-10 22:13:18 +0000 02 MARS WEBADMIN:0000001A: LetsE: Job is already queued
2020-08-10 22:13:18 +0000 02 MARS WEBADMIN:0000001A: Let’s Encrypt: Similar job is already queued
2020-08-10 22:13:18 +0000 02 MARS JOBLOG:7000000C: HTTP-Client: Error performing request in connection to https ://acme-v02.api.letsencrypt.org:443/directory:SSL peer certificate or SSH remote key was not OK
2020-08-10 22:13:18 +0000 02 MARS JOBLOG:7000000C: LetsE: connection error on GET when populating acme link directory
2020-08-10 22:13:18 +0000 02 MARS JOBLOG:7000000C: LetsE: Job step action => Connection-related error, re-attempting after 120 seconds
2020-08-10 22:14:13 +0000 08 MARS WEBADMIN:0000001A: SupportInfo: connected to endpoint https ://www.axigen.com:443
2020-08-10 22:14:13 +0000 02 MARS WEBADMIN:0000001A: HTTP-Client: Error setting proxy in connection to https ://www.axigen.com:443:An unknown option was passed in to libcurl
2020-08-10 22:14:13 +0000 08 MARS WEBADMIN:0000001A: SupportInfo: POST response code for endpoint https ://www.axigen.com:443 is 0
2020-08-10 22:14:13 +0000 02 MARS WEBADMIN:0000001A: SupportInfo: response code 200 expected, 0 was provided instead for endpoint https ://www.axigen.com:443
2020-08-10 22:15:18 +0000 08 MARS JOBLOG:7000000D: LetsE: Acme job executing
2020-08-10 22:15:18 +0000 08 MARS JOBLOG:7000000D: LetsE: AcmeInitState for mail(dot).com executing
2020-08-10 22:15:18 +0000 02 MARS JOBLOG:7000000D: HTTP-Client: Error performing request in connection to https ://acme-v02.api.letsencrypt.org:443/directory:SSL peer certificate or SSH remote key was not OK
2020-08-10 22:15:18 +0000 02 MARS JOBLOG:7000000D: LetsE: connection error on GET when populating acme link directory
2020-08-10 22:15:18 +0000 02 MARS JOBLOG:7000000D: LetsE: Job step action => Connection-related error, re-attempting after 240 seconds
2020-08-10 22:16:56 +0000 02 MARS WEBADMIN:0000001A: Unable to parse intermediate certificate from http ://apps.identrust.com/roots/dstrootcax3.p7c
2020-08-10 22:19:18 +0000 08 MARS JOBLOG:7000000E: LetsE: Acme job executing
2020-08-10 22:19:18 +0000 08 MARS JOBLOG:7000000E: LetsE: AcmeInitState for mail(dot)com executing
2020-08-10 22:19:18 +0000 02 MARS JOBLOG:7000000E: HTTP-Client: Error performing request in connection to https ://acme-v02.api.letsencrypt.org:443/directory:SSL peer certificate or SSH remote key was not OK
2020-08-10 22:19:18 +0000 02 MARS JOBLOG:7000000E: LetsE: connection error on GET when populating acme link directory
2020-08-10 22:19:18 +0000 02 MARS JOBLOG:7000000E: LetsE: Job step action => Cannot complete current work item, abandoning
2020-08-10 22:19:33 +0000 08 MARS JOBLOG:7000000F: LetsE: Acme job executing
Your first curl attempt is bound to fail, as it should be port 443 and not 433.
The second should work from your Windows Server 2019 host (Unless you have no desktop environment…)
It is (of course) crucial to verify, if your server can connect to the letsencrypt ACME site.
One thing that springs to mind: Any proxies or firewalls between the server and the internet, especially those that will insert/replace the expected SSL certificate with their own?
Form Windows you should at least be able to telnet or curl to the host on port 443.
With Curl you mioght be able to see if there’s somenone interfering
Can you ping acme-v02.api.letsencrypt.org?
Does it resolve to a cloudflare-address?
What certificate does it return, when you connect to the address with openssl:
Pinging ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com [172.65.32.248] with 32 bytes of data:
Reply from 172.65.32.248: bytes=32 time=36ms TTL=60
Reply from 172.65.32.248: bytes=32 time=36ms TTL=60
Reply from 172.65.32.248: bytes=32 time=36ms TTL=60
Reply from 172.65.32.248: bytes=32 time=36ms TTL=60
Here is the result of openssl command: C:\Program Files\OpenSSL-Win64\bin>openssl s_client -connect acme-v02.api.letsencrypt.org:443
CONNECTED(00000184)
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = acme-v01.api.letsencrypt.org
verify return:1
In fact, the issue was not with the library, but rather a setting of PHP/cURL/Windows environment.
cURL by default is configured to “not trust any root certificate” . Therefore “the local issuer certificate” could not be found.
That’s bad!
I have no Windows Servers anymore to test this, so all I can advise now is either move the whole thing to Linux or open up a ticket with Axigen - if you have support for it.