Certificate ist not updating since 21.9.2022

Hello,

since 21.9.2022 our homepage is no longer SSL secured.

Let's Encrypt no longer updates.

When we try to reinstall Let's Encrypt in PLesk, the following message appears:

Error: Let's Encrypt SSL/TLS certificate could not be issued for dreamhouse-immobilien.de.
details
Could not obtain directory: Invalid response.
Details:
Type: urn:ietf:params:acme:error:malformed
Status: 400
Detail: upgrade your ACME client to support TLSv1.2 or better

However, we think TLSV1.2 is enabled because we also ran the following command:

plesk bin server_pref -u -ssl-protocols 'TLSv1.2 TLSv1.3'

Now we are unfortunately at a loss and ask for your help.

Kind regards,

Matthias

My domain is: www.dreamhouse-immobilien.de
My web server is: plesk 12.5.30 Update #79
The operating system my web server runs on: ‪Ubuntu 12.04.5 LTS‬
My hosting provider is: strato.de

Hallo @Matthias_Hamburg,

This problem is based on the following recent change in the Let's Encrypt service:

The software that is failing to support TLSv1.2 here is not your web server (which accepts inbound connections), but rather your ACME client application (which makes outbound connections to the Let's Encrypt API service).

The relevant application is probably part of Plesk itself, or installed by Plesk, suggesting that Plesk would need to be upgraded to a newer version.

7 Likes

Hello,
Thank you for your help. We cannot update to a new Plesk version because our homepage uses old PHP versions, which then no longer work. Can you help me? I'm pretty clueless and our company homepage is down :frowning:

Thanks Matthias

2 Likes

You are using Ubuntu 12 LTS which reached end of life over 3 years ago. That's a lot of missing security updates.

The priority should be to update that soon.

In the meantime, if you acquired certs somewhere else could you manually update your config to use them?

Because you could use a different machine to perform a manual cert request. For this you manually add a challenge token record to your webserver or a TXT record to your DNS. If successful, you then copy the certs from this machine to your Ubuntu system and restart Apache.

Some other Certificate Authorities also issue cert using different methods. Perhaps you could purchase one and apply to your Plesk / Apache setup ?

5 Likes

For future reference, it's wise to enable notifications to the API Announcements - Let's Encrypt Community Support section of this Community with aid of the "bell" icon in the top right. That would have notified you about this change before it was implemented. And can notify you for future updates which might impact your operations.

Further more, I agree Ubuntu 12.04.05 LTS should not be connected to and be available from the public internet.

4 Likes