Can anyone help with WordPress plugin SSL Zen?

My domain is:

alobear.co.uk

I ran this command:

sudo certbot certonly --apache

It produced this output:

IMPORTANT NOTES:

My web server is (include version):

Server version: Apache/2.4.29 (Ubuntu)
Server built: 2022-06-23T12:51:37

The operating system my web server runs on is (include version):

Linux annies-new-website-1612213278735-s-1vcpu-1gb-lon1-01 4.15.0-197-generic #208-Ubuntu SMP Tue Nov 1 17:23:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:

Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):

Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 0.31.0

++++

Hi,

My wife's website (alobear.co.uk) recently stopped working with what I believe is a problem with the sites certs (calls to port 80 redirect to 443 and then fail with ERR_CONNECTION_REFUSED). It's a self-hosted WordPress website with https setup provided by a WordPress plugin called SSL Zen that looks like it uses Let's Encrypt under the hood (certbot is installed on the system). I spoke to SSL Zen support and they gave me a new version of the plugin which I've copied to the right place (I believe) but its "keys" folder (where the certs would live) is empty. Every method I've found so far to generate the certs I need (e.g. using sudo certbot certonly --apache on the command line) fail because they all expect the site to be running which it isn't.

Ideally I want to set up apache to be back to when no redirects or https support was in-place (without losing any WP data!) and then either reinstall the plugin again or use certbot to update the apache config (cutting out the plugin completely).

Any help on anything related to any of the above would be much appreciated!

Thanks.

Hello @Choltern, welcome to the Let's Encrypt community. :slightly_smiling_face:

A side note:

That is an old version of Certbot here is the latest one Certbot 2.2.0 Release.

1 Like

And here is a check with SSL Server Test: alobear.co.uk (Powered by Qualys SSL Labs)

h$ curl -Ii http://alobear.co.uk/.well-known/acme-challenge/sometestfile
HTTP/1.1 403 Forbidden
Accept-Ranges: bytes
Cache-Control: max-age=10
X-HW: 1674937133.cds001.se2.h2,1674937133.cds001.se2.h2c
Date: Sat, 28 Jan 2023 20:18:53 GMT
Connection: keep-alive
Content-Length: 0

$ nmap alobear.co.uk
Starting Nmap 7.80 ( https://nmap.org ) at 2023-01-28 20:22 UTC
Nmap scan report for alobear.co.uk (151.139.128.10)
Host is up (0.011s latency).
rDNS record for 151.139.128.10: map3.hwcdn.net
Not shown: 998 filtered ports
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 5.17 seconds
1 Like

Thanks for the very quick response Bruce. I tired the following to update certbot.

sudo apt update
sudo apt install --only-upgrade certbot

But the version stayed the same. It looks like the version the Ubuntu PPA points to is very out of date. I'm not sure how to point to a better one.

I can see your curl and nmap outputs in your second comment but I'm afraid I don't know what they mean.

3 Likes

Your site is using a cert from Sectigo with a name of *.ssl.hwcdn.net

Does that mean anything to you? See a site like this (SSL Checker)

I see you have gotten Let's Encrypt certs in the past and you even have a good one from recent (link here)

So, it's not so much a problem getting an LE cert it is configuring your system to use it.

Just based on the cert name did you recently start using a CDN?

3 Likes

Commonly Certbot is installed via snap please look here Certbot Instructions | Certbot

1 Like

The certificate presently being served is

$ openssl s_client -showcerts -servername alobear.co.uk -connect alobear.co.uk:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.ssl.hwcdn.net
verify return:1
---
Certificate chain
 0 s:CN = *.ssl.hwcdn.net
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 30 00:00:00 2022 GMT; NotAfter: Jan 19 23:59:59 2024 GMT
-----BEGIN CERTIFICATE-----
MIIGNjCCBR6gAwIBAgIQKsVy4kOmPBOefNMAyAENMjANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
Ey5TZWN0aWdvIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB
MB4XDTIyMTIzMDAwMDAwMFoXDTI0MDExOTIzNTk1OVowGjEYMBYGA1UEAwwPKi5z
c2wuaHdjZG4ubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3aP4
hPThCEpq0u/YVwuQTJv/qBFTl5wamxQVukTyBXAEsYvC63Z+asIJmZpqg9Ud4BQz
2dJgaxNkahHKlo36o3UtLa557JfV3MroblHAy/Xc5FhCF8qbcULFaPGmoPVMvUBV
0LcRBNjj7XnpWIKTJObBDJDE4RtX1DCvK6idXjM8lThmG1ph/fcWSXDb/ZgXz1tY
XU8hgKUmQmrGQIeoHhOuRmgUGrz/ZekDjN58pQOShb65nG+7t15sct9mwFUeOBI+
CYT2NMe0Qqkyv3L+xtTlkI53OUOm/RYxDfjJrHn5NNAmS7kAJGyKWDK0icR13Q0e
tGcOW3aR8l+s3Wh1MQIDAQABo4IDADCCAvwwHwYDVR0jBBgwFoAUjYxexFStiuF3
6Zv5mwXhuAGNYeEwHQYDVR0OBBYEFGSSfBbiLQrUii9EvJh1IbMTZ/qvMA4GA1Ud
DwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUHAgEW
F2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhAYIKwYBBQUHAQEE
eDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3RpZ29S
U0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMGCCsGAQUFBzAB
hhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTApBgNVHREEIjAggg8qLnNzbC5od2Nk
bi5uZXSCDXNzbC5od2Nkbi5uZXQwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2
AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABhWNUFOwAAAQDAEcw
RQIhANvJ4MOnU1Zrrp76P5Xt3FztmULDydeRjUEwmZKTOHftAiBM8R1h0W/oW9IT
JKqkVXaOzC38LfxEXb0JT8xL88K80gB2ANq2v2s/tbYin5vCu1xr6HCRcWy7UYSF
NL2kPTBI1/urAAABhWNUFLMAAAQDAEcwRQIgcmafUbpAzxdW+eQLVkxtZgAubFK6
DGQgRyMmoEd0BSkCIQCNCcDTGSX2wa8lrACnU54u52H75KjDFzVlawU1+XMeqgB2
AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABhWNUFIkAAAQDAEcw
RQIhAJ8dQ7dUV7hhIFbHCi0wFLv/GrKo967djffhhIs9vsi+AiAQ658guTaLNrCK
tsdAMVLamFjfNrQo9V1Kev2lK22Y3jANBgkqhkiG9w0BAQsFAAOCAQEAEl2PZ30+
DLJ7LFzGc+hifDHt+mWIdn/cBV1MujD/SWZhpm392byoK66AcnztpksgSoG0aRsI
fYOtSFLr8c6r4dZSdzg6/geVsF1Y9m9HgwbZHysXXkK2yHjbcUu2DgkBk6NeKjMY
X3R5hbt6syXF8rvE/ngt1JZ8YkEilcdw4hcbRxXhr4+B6EYGmNWC6gqDzGwr9Jey
tAnKu0iLCL+3Xo7ducBUMgNzznVJ33Ws0eQcynxf1za94uZMMg7xoW91AW1GSwVy
ESAQq6bhysI8br4EnRSRsbnupSl6l/G2CZy7B3ZVtwrblNomzCl0znZoXB6wnr4n
Ch5n8OrPpO+sHg==
-----END CERTIFICATE-----
 1 s:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
   i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Nov  2 00:00:00 2018 GMT; NotAfter: Dec 31 23:59:59 2030 GMT
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
 2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
   i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
   v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE
AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4
MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5
MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO
ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0
aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sI
s9CsVw127c0n00ytUINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnG
vDoZtF+mvX2do2NCtnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQ
Ijy8/hPwhxR79uQfjtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfb
IWax1Jt4A8BQOujM8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0
tyA9yn8iNK5+O2hmAUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97E
xwzf4TKuzJM7UXiVZ4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNV
icQNwZNUMBkTrNN9N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5
D9kCnusSTJV882sFqV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJ
WBp/kjbmUZIO8yZ9HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ
5lhCLkMaTLTwJUdZ+gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzG
KAgEJTm4Diup8kyXHAc/DVL17e8vgg8CAwEAAaOB8jCB7zAfBgNVHSMEGDAWgBSg
EQojPpbxB+zirynvgqV/0DCktDAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rID
ZsswDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAG
BgRVHSAAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0FBQUNlcnRpZmljYXRlU2VydmljZXMuY3JsMDQGCCsGAQUFBwEBBCgwJjAkBggr
BgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUA
A4IBAQAYh1HcdCE9nIrgJ7cz0C7M7PDmy14R3iJvm3WOnnL+5Nb+qh+cli3vA0p+
rvSNb3I8QzvAP+u431yqqcau8vzY7qN7Q/aGNnwU4M309z/+3ri0ivCRlv79Q2R+
/czSAaF9ffgZGclCKxO/WIu6pKJmBHaIkU4MiRTOok3JMrO66BQavHHxW/BBC5gA
CiIDEOUMsfnNkjcZ7Tvx5Dq2+UUTJnWvu6rvP3t3O9LEApE9GQDTF1w52z97GA1F
zZOFli9d31kWTz9RvdVFGD/tSo7oBmF0Ixa1DVBzJ0RHfxBdiSprhTEUxOipakyA
vGp4z7h/jnZymQyd/teRCBaho1+V
-----END CERTIFICATE-----
---
Server certificate
subject=CN = *.ssl.hwcdn.net
issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5128 bytes and written 379 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
1 Like

sudo snap refresh certbot returns "snap 'certbot' has no updates available". I think the archive the server is pointing to is just very out of date.

Thanks for the cert info but what I really need is some simple instructions to get apache to go back to using port 80 so I can log into WordPress and ideally reinstall the SSL Zen plugin (which will do all the Let's Encrypted steps under the hood). I appreciate that this site isn't for apache help so maybe I should try somewhere else. Any suggestions for that gratefully received.

1 Like

See back to my post #5. Did you recently setup a CDN?

Because port 80 looks to be handled by one. We can't possibly know why that is.

Your DNS is pointing to a service something like "hwcdn.net". Again, do you recognize that? If not, maybe you just need to fix the IP address in your DNS records.

3 Likes

And from here Will Cloudflare proxy block certbot challenge? - #17 by _az

You should be able to find instruction there for updating Certbot one way or another; if not you might need to remove the version you have and install again.

1 Like

You have either NOT installed the snap version [only asked it if there was a newer version available]
OR
You have two versions installed and continue using the older of the two.

Be sure you have removed the apt version of certbot.

2 Likes

Thanks for the help. I've found someone who has very kindly walked me through fixing the various problems.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.