Certificate renewed but site not visible

Hello,

first of all thank you for the whole project and for your work.

My domain is: https://www.firenzespettacolo.it/

I ran this command: certbot-auto

It produced this output: 2019-08-08 09:56:42,581:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.firenzespettacolo.it/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.firenzespettacolo.it/privkey.pem
Your cert will expire on 2019-11-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the “certonly” option. To non-interactively renew all of your certificates, run “certbot-auto renew”

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is: Ubuntu 16.04.6 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

The version of my client is: certbot 0.37.0

I renewed the certificate correctly but the site was not visible with the error:

Firefox: Error code: SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET
Chrome: ERR_SSL_PROTOCOL_ERROR

The certificate test using ssllabs.com is successful. For the moment I solved with a work around in the file /etc/apache2/sites-available/www.firenzespettacolo.it-le-ssl.conf I added # to the line:

#Include /etc/letsencrypt/options-ssl-apache.conf

and after restarting apache the site is visible again. Thanks for the support.

Regards
Riccardo

Hi @Cicciogaddo

simple idea:

Change the file

/etc/letsencrypt/options-ssl-apache.conf

so every line starts with a #. Then remove the # so

Include /etc/letsencrypt/options-ssl-apache.conf

is included. Then remove every # and check, if this is the problem.

Or directly: Perhaps you have a directive (“Session”) which isn’t allowed multiple times.

Hi JuergenAuer,

Thanks for your reply. Maybe I didn’t explain correctly, if in the file
/etc/apache2/sites-available/www.firenzespettacolo.it-le-ssl.conf
is present
Include /etc/letsencrypt/options-ssl-apache.conf
the site cannot be seen and generates the indicated error if instead I add the comment
the site is visible again (the current condition). But it cannot be the solution because the bot adds the inclusion to the renewal of the certificate.

Interestingly, please give me some instruction on how to verify this.

Riccardo

If in /etc/letsencrypt/options-ssl-apache.conf I set SSLSessionTickets to on
everything seems to work properly.

Riccardo

2 Likes

My idea: Two such directives like SSLSessionTickets on, only one is allowed.

Happy to read you have found a solution :+1:

1 Like

The SSLSessionTickets off was a new default introduced in Certbot 0.37.0, and reverted in 0.37.1 (released today).

https://community.letsencrypt.org/search?q=%22session%20tickets%22%20order%3Alatest

3 Likes

Hey @Cicciogaddo! Erica from Certbot here. We’re trying to figure out what caused this issue so we can get the feature back in without the errors. It would really help us out if you could email me at erica@eff.org with the following information:

  • the results of the command grep OpenSSL /var/log/apache2/error.log (or elsewhere, if you’ve moved your apache error log location)
  • the contents of your config directory (probably located at /etc/apache2/), redacted as you see fit
  • any changes you’ve made to the config directory in the time since encountering this issue

Thanks!

2 Likes

Pinging again @Cicciogaddo – we still haven’t been able to reproduce the issue, and even the Apache developers we’ve talked to don’t understand what’s going on here. Regardless of us making this change again, we’d really like to get to the bottom of this so we can avoid problems like this in the future and can make sure the problem is fixed in whatever software causing a TLS error in this configuration.

If you don’t feel comfortable sending the info I previously mentioned, some other info that might help us is:

  • All mod_ssl directives in the Apache config
  • A high level description of your setup (e.g. are you using PHP/phpmyadmin?)
  • Apache modules loaded

Thanks again!

Hi Erica,

Sorry but I’m out of office for holidays I’ll reply to you from 1 September.

Regards

Riccardo

Thanks to everyone who helped us here! We’ve figured this one out, and just put out a release (0.37.2) fixing it in Nginx as well. If you’re interested in the story, you can follow our discussion on GitHub at https://github.com/certbot/certbot/issues/7322.

1 Like