Letsencrypt Only Issuing Self-Signed Certificates

joefedorowicz · June 5, 2023, 10:45am

Hello,

Starting a week ago, Letsencrypt began issuing only self-signed SSL certs to all of my sites. I updated Ubuntu, updated Cyberpanel and tried a couple things I found online…to no avail. It’s creating havoc for some of my installs.

Is this a bug in the version? I’m currently running 2.3.4.

Any advice would be much appreciated. Thanks.

UPDATE

Server OS: Ubuntu 20.04.6 LTS

Current Version: 2.3
Build: 4
Current Commit: 9de252a75e62017702bd399f5014d306a1c8c7a0
Latest Version: 2.3
Latest Build: 4
Latest Commit: 9de252a75e62017702bd399f5014d306a1c8c7a0

Asking for a new Cert manually yields a self-signed certificate for all of my sites.

VHost

vhssl {
keyFile /etc/letsencrypt/live/joinlmfd.org/privkey.pem
certFile /etc/letsencrypt/live/joinlmfd.org/fullchain.pem
certChain 1
sslProtocol 24
enableECDHE 1
renegProtection 1
sslSessionCache 1
enableSpdy 15
enableStapling 1
ocspRespMaxAge 86400
}

context /.well-known/acme-challenge {
location /usr/local/lsws/Example/html/.well-known/acme-challenge
allowBrowse 1

rewrite {

}
addDefaultCharset off

phpIniOverride {

}
}

Rewrite Rules

RewriteEngine On

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Main Log File

File here (had too many links to post)

josephgodwinke · June 5, 2023, 11:22am

Welcome @joefedorowicz Happy you are here

You did not care to follow basic instructions How to ask for assistance?

joefedorowicz · June 5, 2023, 12:09pm

Amended. Sorry and thanks.

sajetek_developer · June 5, 2023, 1:05pm

This is an ongoing issue. I have opened an issue on github [BUG] SSL fails in 2.3.4 · Issue #1063 · usmannasir/cyberpanel · GitHub

What is happening is that they have integrated SSL v2 into SSL v1. When you issue an SSL, it first goes to use the SSL v2 and then when that fails it will fallback to SSL v1.

This sounds good logically but what is actually happening if you have dealth with acme.sh before is that acme.sh is stuck trying to get the certificate through the SSL v2 and keeps trying over and over again so that the fallback to v1 never really fires.

If you wait long enough, you will get a 500 server error in your console and an error.

Run the command ps ax|grep acme and you will see a script trying to get a wildcard certificate, the only way to actually get a certificate is to manually kill this script and then the SSL v1 will trigger.

I have upgraded to the latest commit this morning and tested again and it’s still an issue.

joefedorowicz · June 5, 2023, 1:13pm

Except I don’t get that 500 you mentioned. It issues me a self-signed cert.

sajetek_developer · June 5, 2023, 1:20pm

Where do you go to issue an SSL certificate?
My process is from the side menu “SSL > Manage SSL”

joefedorowicz · June 5, 2023, 1:21pm

Yep and then I pick the correct domain from the dropdown. It says it was successful and then I check the site’s page and it is self-signed for 10 years.

sajetek_developer · June 5, 2023, 1:23pm

This is a bit different from what I’m getting.
I am never issued a certificate so i’m stick on either a self-signed or an expired certificate.

I get no success message, only the error above.
Do you by chance use cloudflare DNS or DNS in cyberpanel?

joefedorowicz · June 5, 2023, 1:28pm

Cyberpanel DNS for the specific one I’m looking at.

sajetek_developer · June 5, 2023, 1:32pm

I’m not using DNS nor cloudflare which might be the difference in the outcomes.

My stupid advice, downgrade to 2.3.3 because if you looked at the github issue, they aren’t able to replicate the problem but multiple persons have been so it’s going to be a long while before this issue is fixed.

Luckily for me, I upgraded on my test server only and not my production.

joefedorowicz · June 5, 2023, 1:34pm

I had this problem on 2.3.3 before I had it on 2.3.4. I don’t think our issues are the same.

joefedorowicz · June 5, 2023, 1:52pm

Restarting this conversation. I have this line in my logs:

[06.05.2023_10-14-51] Status Code: 404 for: http://joinlmfd.org/.well-known/acme-challenge/joinlmfd.org. Error:

But that would be an incorrect location for that. Should be:

/usr/local/lsws/Example/html/.well-known/acme-challenge/joinlmfd.org

Could this be it? Don’t know how to change this.

sajetek_developer · June 5, 2023, 2:43pm

From your config file, you already have the correct context.

context /.well-known/acme-challenge {
  location                /usr/local/lsws/Example/html/.well-known/acme-challenge
  allowBrowse             1

  rewrite  {

  }
  addDefaultCharset       off

  phpIniOverride  {

  }
}

Try restarting lsws

joefedorowicz · June 5, 2023, 3:21pm

yeah no luck there

bestperson · June 5, 2023, 6:46pm

With certificate issues, complexity has existed for a very long time, in order to issue a certificate, it is worth adding DNS records CyberPanel — панель управления для VDS сервера LiteSpeed Linux Ubuntu 20.04. Установка Wordpress - YouTube, it is shown here, and after adding certificates are issued

joefedorowicz · June 5, 2023, 11:02pm

Can’t read that sorry.

joefedorowicz · June 5, 2023, 11:18pm

An update: Here’s my error.

[Mon 05 Jun 2023 11:11:27 PM UTC] joinlmfd.org:Verify error:45.56.108.106: Invalid response from http://joinlmfd.org/.well-known/acme-challenge/eaQ48vf-WGxvwa2k kkTfQJfoUI-uuJ2SarsBtd-GWZ1Y: 404

sajetek_developer · June 6, 2023, 1:47pm

Try this for a workaround: Www SSL error after update - #9 by quoviz_dev

Let me know if this successfully retrieves a valid certificate.
You can modify it to use letsencrypt.
As is will use zerossl