Client to support TLSv1.2

aikiyo · October 5, 2022, 8:54am

Could not obtain directory: Invalid response.
Details:
Type: urn:ietf:params:acme:error:malformed
Status: 400
Detail: upgrade your ACME client to support TLSv1.2 or better

OS:CentOS6.1

Osiris · October 5, 2022, 11:18am

To me, this detail message is pretty clear. Could you perhaps elaborate which issue you're running in to?

aikiyo · October 5, 2022, 11:41am

Plesk to SSL installation error status.
Plesk update is not possible.

ghen · October 5, 2022, 12:31pm

Wow, CentOS 6.1 was released in 2011. It's latest update, CentOS 6.10, was released in 2018, and went EOL in 2020.
So you're asking support for a system that hasn't been updated in 11 years?

Anyway, CentOS 6.1 was shipped with OpenSSL 1.0.0, which does not support TLSv1.2. CentOS 6.5 was rebased to OpenSSL 1.0.1, which does support TLSv1.2, so you could upgrade your OS...

aikiyo · October 5, 2022, 12:57pm

It's a difficult situation to upgrade the OS.

plesk bin http2_pref enable

How about the above command?

ghen · October 5, 2022, 1:18pm

Then you'll also face difficulties communicating with the Internet of 2022, where TLS 1.0 has been largely deprecated. Let's Encrypt is certainly not on the bleeding edge here.

Btw, CentOS 6.1 => 6.10 is "just" patching (fully ABI compatible), not a major OS upgrade like CentOS 7.x would be.
Your OS would still be EOL, but in a much better shape with 9 years worth of updates applied, and compatible again with Let's Encrypt.

http2 is not related.

aikiyo · October 5, 2022, 1:41pm

What are the steps for patching?

Osiris · October 5, 2022, 1:47pm

Patching up an ancient OS distro is out of the scope of this Community.

rg305 · October 5, 2022, 2:45pm

If all else fails (which it likely will), you could try using another ACME client.
Like: acme.sh

bruncsak · October 5, 2022, 2:48pm

Does acme.sh relies of openssl doesn't it? It may have the same problem.

rg305 · October 5, 2022, 3:17pm

hmm...
You might be right.
If so, then compiling OpenSSL may be the fix.
I was able to do so on Ubuntu 14, see: Unable to validate my domain since the last couple of days due to signature algorithm not supported (it was working fine before) - #9 by rg305
So, it might be possible.
Sadly, I don't have a CentOS 6.10 to test that out.

bruncsak · October 5, 2022, 3:18pm

I did not test that, so be careful what I am writing, it may screw up your system. Definetely do a backup before proceeding.

The CentOS 6 distro is already removed from the official mirrors. However, the distro data is still available on vault.centos.org. You have to modify the repository file of /etc/yum.repos.d/CentOS-Base.repo to point to the vault, at least for the [base], [updates] and [extras] repos that are enabled by default. Comment out the mirrorlist= line, and uncomment the baseurl= line. Modify the baseurl= line to get something like:

[base]
baseurl=https://vault.centos.org/6.10/os/$basearch/

[updates]
baseurl=https://vault.centos.org/6.10/updates/$basearch/

[extras]
baseurl=https://vault.centos.org/6.10/extras/$basearch/

Do not attempt to update everything in one shoot.
First do:

yum upgrade 'rpm*' 'yum*'

then the rest:

yum upgrade

Again, it may not work, I did not test it.

bruncsak · October 5, 2022, 3:45pm

It won't work. vault.centos.org is reachable only through HTTPS, and the minimum supported TLS version is 1.2. You have to upgrade to get TLS 1.2. You have to have TLS 1.2 to upgrade. Typical chicken-egg problem.

I found another vault site that is accessible through HTTP:
http://linuxsoft.cern.ch/centos-vault/6.10

So try something like:

[base]
baseurl=http://linuxsoft.cern.ch/centos-vault/6.10/os/$basearch/

[updates]
baseurl=http://linuxsoft.cern.ch/centos-vault/6.10/updates/$basearch/

[extras]
baseurl=http://linuxsoft.cern.ch/centos-vault/6.10/extras/$basearch/

rg305 · October 5, 2022, 3:54pm

Use a proxy!

aikiyo · October 5, 2022, 8:56pm

1.vi /etc/yum.repos.d/CentOS-Base.repo

2.# yum clean all

3.# yum update

4.reboot

OK？

mcpherrinm · October 5, 2022, 11:23pm

Your best bet might be using a client like lego which is written in Go and doesn’t depend on any OS TLS libraries.

aikiyo · October 6, 2022, 12:00am

Is it a server move?

bruncsak · October 6, 2022, 6:30am

Yes. yum clean all is nice, but I do not think you have anything in the cache.
Please do the yum update in two steps. reboot is needed, for sure.

On the meantime I was thinking to do this more safely, but a lot of work. Try to do this by minor release. First from 6.1 to 6.2, then 6.2 to 6.3 and so on.

aikiyo · October 6, 2022, 6:51am

Thankyou,

1.# yum update

2.reboot

3.# yum update

4.reboot

OK??

bruncsak · October 6, 2022, 7:16am

Yes, going by minor release is safer:

1. vi /etc/yum.repos.d/CentOS-Base.repo (/6.2/)
2. yum clean all
3a. yum update 'rpm*' 'yum*'
3b. yum update
4. reboot
5. vi /etc/yum.repos.d/CentOS-Base.repo (/6.3/)
6. yum clean all
7a. yum update 'rpm*' 'yum*'
7b. yum update
8. reboot
...

Topic		Replies	Views
Rejecting TLS 1.0 / 1.1 for inbound ACME connections API Announcements	3	2452	August 26, 2024
Certificate ist not updating since 21.9.2022 Help	5	1455	October 22, 2022
Updating to ACMEv2 Compatible Client Help	4	449	March 16, 2021
Ssl for centos 6 apache 2.2.15 Help	3	1359	November 13, 2019
Update your client software to continue using Let's Encrypt Help	3	2247	May 17, 2020

Client to support TLSv1.2

plesk bin http2_pref enable

Related topics