Letsencrypt Only Issuing Self-Signed Certificates

JF

Joe Fedorowicz Jun 05, 2023 #1

Hello,

Starting a week ago, Letsencrypt began issuing only self-signed SSL certs to all of my sites. I updated Ubuntu, updated Cyberpanel and tried a couple things I found online…to no avail. It’s creating havoc for some of my installs.

Is this a bug in the version? I’m currently running 2.3.4.

Any advice would be much appreciated. Thanks.

UPDATE

Server OS: Ubuntu 20.04.6 LTS

Current Version: 2.3
Build: 4
Current Commit: 9de252a75e62017702bd399f5014d306a1c8c7a0
Latest Version: 2.3
Latest Build: 4
Latest Commit: 9de252a75e62017702bd399f5014d306a1c8c7a0

Asking for a new Cert manually yields a self-signed certificate for all of my sites.

VHost

vhssl {
keyFile /etc/letsencrypt/live/joinlmfd.org/privkey.pem
certFile /etc/letsencrypt/live/joinlmfd.org/fullchain.pem
certChain 1
sslProtocol 24
enableECDHE 1
renegProtection 1
sslSessionCache 1
enableSpdy 15
enableStapling 1
ocspRespMaxAge 86400
}

context /.well-known/acme-challenge {
location /usr/local/lsws/Example/html/.well-known/acme-challenge
allowBrowse 1

rewrite {

}
addDefaultCharset off

phpIniOverride {

}
}

Rewrite Rules

RewriteEngine On

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Main Log File

File here (had too many links to post)

jo

josephgodwinke Jun 05, 2023 #2

Welcome @joefedorowicz Happy you are here

You did not care to follow basic instructions How to ask for assistance?

JF

Joe Fedorowicz Jun 05, 2023 #3

Amended. Sorry and thanks.

SD

SaJeTek Developer Jun 05, 2023 #4

This is an ongoing issue. I have opened an issue on github [BUG] SSL fails in 2.3.4 · Issue #1063 · usmannasir/cyberpanel · GitHub

What is happening is that they have integrated SSL v2 into SSL v1. When you issue an SSL, it first goes to use the SSL v2 and then when that fails it will fallback to SSL v1.

This sounds good logically but what is actually happening if you have dealth with acme.sh before is that acme.sh is stuck trying to get the certificate through the SSL v2 and keeps trying over and over again so that the fallback to v1 never really fires.

If you wait long enough, you will get a 500 server error in your console and an error.

Run the command ps ax|grep acme and you will see a script trying to get a wildcard certificate, the only way to actually get a certificate is to manually kill this script and then the SSL v1 will trigger.

I have upgraded to the latest commit this morning and tested again and it’s still an issue.

JF

Joe Fedorowicz Jun 05, 2023 #5

Except I don’t get that 500 you mentioned. It issues me a self-signed cert.

SD

SaJeTek Developer Jun 05, 2023 #6

Where do you go to issue an SSL certificate?
My process is from the side menu “SSL > Manage SSL”

JF

Joe Fedorowicz Jun 05, 2023 #7

Yep and then I pick the correct domain from the dropdown. It says it was successful and then I check the site’s page and it is self-signed for 10 years.

SD

SaJeTek Developer Jun 05, 2023 #8

This is a bit different from what I’m getting.
I am never issued a certificate so i’m stick on either a self-signed or an expired certificate.

I get no success message, only the error above.
Do you by chance use cloudflare DNS or DNS in cyberpanel?

JF

Joe Fedorowicz Jun 05, 2023 #9

Cyberpanel DNS for the specific one I’m looking at.

SD

SaJeTek Developer Jun 05, 2023 #10

I’m not using DNS nor cloudflare which might be the difference in the outcomes.

My stupid advice, downgrade to 2.3.3 because if you looked at the github issue, they aren’t able to replicate the problem but multiple persons have been so it’s going to be a long while before this issue is fixed.

Luckily for me, I upgraded on my test server only and not my production.

JF

Joe Fedorowicz Jun 05, 2023 #11

I had this problem on 2.3.3 before I had it on 2.3.4. I don’t think our issues are the same.

JF

Joe Fedorowicz Jun 05, 2023 #12

Restarting this conversation. I have this line in my logs:

[06.05.2023_10-14-51] Status Code: 404 for: http://joinlmfd.org/.well-known/acme-challenge/joinlmfd.org. Error:

But that would be an incorrect location for that. Should be:

/usr/local/lsws/Example/html/.well-known/acme-challenge/joinlmfd.org

Could this be it? Don’t know how to change this.

SD

SaJeTek Developer Jun 05, 2023 #13

From your config file, you already have the correct context.

context /.well-known/acme-challenge {
  location                /usr/local/lsws/Example/html/.well-known/acme-challenge
  allowBrowse             1

  rewrite  {

  }
  addDefaultCharset       off

  phpIniOverride  {

  }
}

Try restarting lsws

JF

Joe Fedorowicz Jun 05, 2023 #14

yeah no luck there

JF

Joe Fedorowicz Jun 05, 2023 #16

Can’t read that sorry.

JF

Joe Fedorowicz Jun 05, 2023 #17

An update: Here’s my error.

[Mon 05 Jun 2023 11:11:27 PM UTC] joinlmfd.org:Verify error:45.56.108.106: Invalid response from http://joinlmfd.org/.well-known/acme-challenge/eaQ48vf-WGxvwa2k kkTfQJfoUI-uuJ2SarsBtd-GWZ1Y: 404

SD

SaJeTek Developer Jun 06, 2023 #18

Try this for a workaround: Www SSL error after update - #9 by quoviz_dev

Let me know if this successfully retrieves a valid certificate.
You can modify it to use letsencrypt.
As is will use zerossl