Certificate renewed but site not visible

Cicciogaddo · August 8, 2019, 9:32am

Hello,

first of all thank you for the whole project and for your work.

My domain is: https://www.firenzespettacolo.it/

I ran this command: certbot-auto

It produced this output: 2019-08-08 09:56:42,581:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/www.firenzespettacolo.it/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/www.firenzespettacolo.it/privkey.pem
Your cert will expire on 2019-11-06. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the “certonly” option. To non-interactively renew all of your certificates, run “certbot-auto renew”

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is: Ubuntu 16.04.6 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine: yes

I’m using a control panel to manage my site: no

The version of my client is: certbot 0.37.0

I renewed the certificate correctly but the site was not visible with the error:

Firefox: Error code: SSL_ERROR_RX_UNEXPECTED_NEW_SESSION_TICKET
Chrome: ERR_SSL_PROTOCOL_ERROR

The certificate test using ssllabs.com is successful. For the moment I solved with a work around in the file /etc/apache2/sites-available/www.firenzespettacolo.it-le-ssl.conf I added # to the line:

#Include /etc/letsencrypt/options-ssl-apache.conf

and after restarting apache the site is visible again. Thanks for the support.

Regards
Riccardo

JuergenAuer · August 8, 2019, 9:39am

Hi @Cicciogaddo

simple idea:

Change the file

/etc/letsencrypt/options-ssl-apache.conf

so every line starts with a #. Then remove the # so

Include /etc/letsencrypt/options-ssl-apache.conf

is included. Then remove every # and check, if this is the problem.

Or directly: Perhaps you have a directive (“Session”) which isn’t allowed multiple times.

Cicciogaddo · August 8, 2019, 9:59am

Hi JuergenAuer,

Thanks for your reply. Maybe I didn’t explain correctly, if in the file
/etc/apache2/sites-available/www.firenzespettacolo.it-le-ssl.conf
is present
Include /etc/letsencrypt/options-ssl-apache.conf
the site cannot be seen and generates the indicated error if instead I add the comment
the site is visible again (the current condition). But it cannot be the solution because the bot adds the inclusion to the renewal of the certificate.

Interestingly, please give me some instruction on how to verify this.

Riccardo

Cicciogaddo · August 9, 2019, 6:41am

If in /etc/letsencrypt/options-ssl-apache.conf I set SSLSessionTickets to on
everything seems to work properly.

Riccardo

JuergenAuer · August 8, 2019, 1:37pm

My idea: Two such directives like SSLSessionTickets on, only one is allowed.

Happy to read you have found a solution

schoen · August 9, 2019, 1:19am

The SSLSessionTickets off was a new default introduced in Certbot 0.37.0, and reverted in 0.37.1 (released today).

https://community.letsencrypt.org/search?q=%22session%20tickets%22%20order%3Alatest

erica · August 15, 2019, 12:33am

Hey @Cicciogaddo! Erica from Certbot here. We’re trying to figure out what caused this issue so we can get the feature back in without the errors. It would really help us out if you could email me at erica@eff.org with the following information:

the results of the command grep OpenSSL /var/log/apache2/error.log (or elsewhere, if you’ve moved your apache error log location)
the contents of your config directory (probably located at /etc/apache2/), redacted as you see fit
any changes you’ve made to the config directory in the time since encountering this issue

Thanks!

erica · August 16, 2019, 10:29pm

Pinging again @Cicciogaddo – we still haven’t been able to reproduce the issue, and even the Apache developers we’ve talked to don’t understand what’s going on here. Regardless of us making this change again, we’d really like to get to the bottom of this so we can avoid problems like this in the future and can make sure the problem is fixed in whatever software causing a TLS error in this configuration.

If you don’t feel comfortable sending the info I previously mentioned, some other info that might help us is:

All mod_ssl directives in the Apache config
A high level description of your setup (e.g. are you using PHP/phpmyadmin?)
Apache modules loaded

Thanks again!

Cicciogaddo · August 17, 2019, 9:07pm

Hi Erica,

Sorry but I’m out of office for holidays I’ll reply to you from 1 September.

Regards

Riccardo

erica · August 21, 2019, 11:12pm

Thanks to everyone who helped us here! We’ve figured this one out, and just put out a release (0.37.2) fixing it in Nginx as well. If you’re interested in the story, you can follow our discussion on GitHub at https://github.com/certbot/certbot/issues/7322.