Can’t create new certificate on Catalina (10.15.1) because SSL compression is not enabled

AffinityCE · December 10, 2019, 8:09pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: affinityced.com

I ran this command: sudo certbot --apache

It produced this output:

sudo certbot --apache

Password:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to

cancel): it@affinityced.com

Please read the Terms of Service at

https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must

agree in order to register with the ACME server at

https://acme-v02.api.letsencrypt.org/directory

(A)gree/©ancel: A

Would you be willing to share your email address with the Electronic Frontier

Foundation, a founding partner of the Let’s Encrypt project and the non-profit

organization that develops Certbot? We’d like to send you email about our work

encrypting the web, EFF news, campaigns, and ways to support digital freedom.

(Y)es/(N)o: N

Which names would you like to activate HTTPS for?

1: privacy.sv.affinityced.com
[ … other sites deleted due to new user limitation ]

Select the appropriate numbers separated by commas and/or spaces, or leave input

blank to select all options shown (Enter ‘c’ to cancel): 1

Obtaining a new certificate

Performing the following challenges:

http-01 challenge for privacy.sv.affinityced.com

Waiting for verification…

Cleaning up challenges

Created an SSL vhost at /private/etc/apache2/extra/httpd-vhosts-le-ssl.conf

Deploying Certificate to VirtualHost /private/etc/apache2/extra/httpd-vhosts-le-ssl.conf

Enabling site /private/etc/apache2/extra/httpd-vhosts-le-ssl.conf by adding Include to root configuration

Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:

Setting Compression mode unsupported; not implemented by the SSL library

Rolling back to previous server configuration…

Error while running apachectl configtest.

AH00526: Syntax error on line 13 of /etc/letsencrypt/options-ssl-apache.conf:

Setting Compression mode unsupported; not implemented by the SSL library

IMPORTANT NOTES:

- We were unable to install your certificate, however, we

successfully restored your server to its prior configuration.

Congratulations! Your certificate and chain have been saved at:

/etc/letsencrypt/live/privacy.sv.affinityced.com/fullchain.pem

Your key file has been saved at:

/etc/letsencrypt/live/privacy.sv.affinityced.com/privkey.pem

Your cert will expire on 2020-03-09. To obtain a new or tweaked

version of this certificate in the future, simply run certbot again

with the “certonly” option. To non-interactively renew all of

your certificates, run “certbot renew”

Your account credentials have been saved in your Certbot

configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now. This configuration directory will

also contain certificates and private keys obtained by Certbot so

making regular backups of this folder is ideal.

My web server is (include version):

Server version: Apache/2.4.41 (Unix)
Server built: Oct 17 2019 18:04:28

The operating system my web server runs on is (include version):

macOS 10.15.1 (Catalina)

My hosting provider, if applicable, is:

N/A — it’s our own machine

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

There is a similar thread on GitHub from May (https://github.com/certbot/certbot/issues/7063) where the answer basically was “we’re looking into it,” with no resolution. Since certbot backs out the configurations and deletes the .conf files, I’m at a bit of a loss for what to do next.

We’re hoping to use Let’s Encrypt for some one-off sites (since it seems that wildcards can only be used via Docker?) where a pesky consultant has convinced the owners that SSL is needed for sites with zero user interaction. We use paid certificates for other company properties and I would prefer not to have to pay $$$ for limited-use certificates if possible. Any suggestions for what to do to work around the SSL Compression problem are welcome.

_az · December 10, 2019, 8:20pm

I would guess that the problem is that your Apache configuration tries to enable SSL compression.

However, for quite some time, SSL compression has been considered a misfeature/dangerous, and not supported in modern SSL.

The solution would be to remove that part of your configuration, and then try again.

Edit: I misread the errors slightly. You need to open /etc/letsencrypt/options-ssl-apache.conf and remove this line:

SSLCompression          off

This might be worth filing a Certbot bug over too, but I don’t have a macOS environment to try reproduce on.

AffinityCE · December 10, 2019, 8:23pm

I don’t enable SSL Compression anywhere. Certbot’s configuration file is at fault:

This file contains important security parameters. If you modify this file

manually, Certbot will be unable to automatically provide future security

updates. Instead, Certbot will print and log an error message with a path to

the up-to-date file that you will need to refer to when manually updating

this file.

SSLEngine on

Intermediate configuration, tweak to your needs

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off

SSLOptions +StrictRequire

Add vhost name to log entries:

LogFormat “%h %l %u %t “%r” %>s %b “%{Referer}i” “%{User-agent}i”” vhost_combined
LogFormat “%v %h %l %u %t “%r” %>s %b” vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

Always ensure Cookies have “Secure” set (JAH 2012/1)

#Header edit Set-Cookie (?i)^(.)(;\ssecure)??((\s*;)?(.*)) "$1; Secure$3$4”

Removing the SSLCompression line is not possible, as certbot recreates the file and reinserts the line every time.

_az · December 10, 2019, 8:24pm

Yes, indeed. I misread initially.

Hmm. It shouldn't do this. Certbot is supposed to detect when that file has been modified manually and avoid re-modifying it.

AffinityCE · December 10, 2019, 8:24pm

An “issue” was filed at GitHub in May. Its solution is not helpful because certbot fails to store conf files that can be edited after the fact.

AffinityCE · December 10, 2019, 8:26pm

Sadly, this is not the case, as I tried doing just that and certbot happily recreated the original file before failing to complete the install.

_az · December 10, 2019, 8:31pm

I’ve done a poor job of reading your original post carefully. You put the effort in and I skipped past it. Sorry.

Would you be OK with avoiding the “installer” part of Certbot? So having it only issue the certificate, but leaving you to configure it in Apache.

So your workflow would be something like:

sudo certbot certonly -a apache --deploy-hook "apachectl -k graceful" -d privacy.sv.affinityced.com

This would leave you with the needed files in /etc/letsencrypt/live/privacy.sv.affinityced.com/{fullchain,privkey}.pem, which you could combine with the recommended SSL virtual host configuration.

I guess this would be closer to your original workflow where you used paid certificates, but the certificate renewal would continue to be automatic (assuming I’ve identified the right command on macOS for reloading Apache post-renewal).

AffinityCE · December 11, 2019, 1:07pm

Thank you very much for your helpful suggestions. I was able to get the certificate set up correctly for the site. I haven’t tested the workflow you suggested yet, but as we may have additional single-site certificates to install soon, I will give it a try then.

system · January 10, 2020, 1:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot error instead of ssl Help	8	848	December 22, 2020
Struggling to create a new multi-domain certificate Help	7	746	April 3, 2020
New HTTPS activation failed Help	9	1472	March 1, 2020
Https not working after 'succesful' certbot --apache operation Help	8	8669	May 15, 2019
Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems: Help	7	13259	December 16, 2021