/directory access problem

sccmrb · September 30, 2021, 6:47pm

I'm using the Univention Corporate Server Let's encrypt app and my cert is now invalid. I'm getting the following error when it tries to renew:

Refreshing certificate for following domains:
groups.skaggscatholiccenter.org
Parsing account key...
Parsing CSR...
Found domains: groups.skaggscatholiccenter.org
Getting directory...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt
    directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
Setting letsencrypt/status

When I click on the URL bar I see the chain as ISRG Root X1 --> R3 --> groups.skaggscatholiccenter.org

I have tried the "update-ca-certificates" and then restarted Apache2 but it still says invalid.

rg305 · September 30, 2021, 6:51pm

@sccmrb
What version of OpenSSL are you using?

sccmrb · September 30, 2021, 6:59pm

OpenSSL 1.1.0l 10 Sep 2019

sccmrb · September 30, 2021, 7:05pm

I see this on all devices. Macs, Windows, iOS.

rg305 · September 30, 2021, 7:05pm

@sccmrb
Please show the outputs of:
wget --delete-after https://acme-v02.api.letsencrypt.org/directory
curl -I https://acme-v02.api.letsencrypt.org/directory

sccmrb · September 30, 2021, 7:06pm

wget --delete-after https://acme-v02.api.letsencrypt.org/directory

--2021-09-30 13:05:33--  https://acme-v02.api.letsencrypt.org/directory
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)... 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|172.65.32.248|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 658 [application/json]
Saving to: ‘directory.tmp’

directory.tmp                           100%[============================================================================>]     658  --.-KB/s    in 0s      

2021-09-30 13:05:34 (17.0 MB/s) - ‘directory.tmp’ saved [658/658]

curl -I https://acme-v02.api.letsencrypt.org/directory

HTTP/2 200 
server: nginx
date: Thu, 30 Sep 2021 19:05:50 GMT
content-type: application/json
content-length: 658
cache-control: public, max-age=0, no-cache
replay-nonce: 0002NIlvHF4AlF4hxwACRL0A7-hXib9UdfN1UUe9zegdutM
x-frame-options: DENY
strict-transport-security: max-age=604800

rg305 · September 30, 2021, 7:08pm

@sccmrb
hmm...
Let's have a look at the log file.
Please upload:
/var/log/letsencrypt/letsencrypt.log

sccmrb · September 30, 2021, 7:12pm

Attached.
letsencrypt.txt (26.5 KB)

rg305 · September 30, 2021, 7:17pm

I think the problem was transient; as there was a degraded service alert posted around that time.
See: Let's Encrypt Status

The more troubling entries show:
ValueError: Challenge did not pass for groups.skaggscatholiccenter.org: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://groups.skaggscatholiccenter.org/.well-known/acme-challenge/w1matVCnZNhVUom02sJz2QgWvlrqgXlk_8AT_2TPtJA', u'hostname': u'groups.skaggscatholiccenter.org', u'addressUsed': u'205.127.242.55', u'port': u'80', u'addressesResolved': [u'205.127.242.55']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/14086887429/suXfag', u'token': u'w1matVCnZNhVUom02sJz2QgWvlrqgXlk_8AT_2TPtJA', u'error': {u'status': 400, u'type': u'urn:ietf:params:acme:error:connection', u'detail': u'Fetching http://groups.skaggscatholiccenter.org/.well-known/acme-challenge/w1matVCnZNhVUom02sJz2QgWvlrqgXlk_8AT_2TPtJA: Timeout during connect (likely firewall problem)'}, u'validated': u'2021-06-18T15:54:01Z', u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'groups.skaggscatholiccenter.org'}, u'expires': u'2021-06-25T15:54:00Z'}

Timeout during connect (likely firewall problem)
You need a functional HTTP service before you can secure it (via HTTP authentication).
I get:

curl -Iki groups.skaggscatholiccenter.org
curl: (56) Recv failure: Connection reset by peer

sccmrb · September 30, 2021, 7:23pm

Correct I'm only allowing connections from their servers in my firewall

acme-v02.api.letsencrypt.org
acme-staging.api.letsencrypt.org
acme-staging-v02.api.letsencrypt.org
r3.o.lencr.org

rg305 · September 30, 2021, 7:28pm

That is ill-advised.

The most prudent thing to do is to allow port 80 in and only handle the challenge requests there and send all other requests to HTTPS [which can be locked down as much as you like].

But don't take my word for it, check the FAQ page.

sccmrb · September 30, 2021, 7:33pm

I haven't had any issues with it for the last several years doing it this way. Also, when they connect from their servers I'm allowing all ports, but general outside access is locked down from all other IPs. For giggles I briefly set it to allow 80, 443 from all IPs to this server and forced a cert update and it's the exact same error. So it's not the firewall.

rg305 · September 30, 2021, 7:39pm

Please show this exact same error.

sccmrb · September 30, 2021, 7:43pm

This is the same error when the frewall rul for this server is set to allow ALL from ALL on ports 80 and 443.

Thu Sep 30 13:34:37 MDT 2021
Refreshing certificate for following domains:
groups.skaggscatholiccenter.org
Parsing account key...
Parsing CSR...
Found domains: groups.skaggscatholiccenter.org
Getting directory...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt
    directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
Setting letsencrypt/status

As I said, it's the same error in the log and the one that started this off for me.

rg305 · September 30, 2021, 7:47pm

Dude - please be patient with us we are volunteers here.
This is only one of many open topics - and it has 380 posts.
Don't ask me to remember what you posted before.

sccmrb · September 30, 2021, 7:53pm

Dude I am being patient, I'm just impressed you're replying as fast as you are and I'm just replying when you reply so that you're not "waiting on me". Not mad at all, you're the one taking offense. I inspected the signed_chain.crt and it is indeed expired, how can I get a fresh chain certificate file?

rg305 · September 30, 2021, 7:54pm

OK no blood no foul - LOL

rg305 · September 30, 2021, 7:56pm

@sccmrb
I'm not what why but I do know how this is breaking.
It is on the curl type request form your system to the LE/directory that fails.
Which I'm sure has something to do with some TLS libraries using the wrong root.

rg305 · September 30, 2021, 8:04pm

@sccmrb
Remind me again...
What version of certbot are you running?

rg305 · September 30, 2021, 8:19pm

A post was merged into an existing topic: Help thread for DST Root CA X3 expiration (September 2021)

Topic		Replies	Views
Acme_tiny : Error getting directory: Help	10	2265	February 11, 2022
Let's Encypt on Univention Server Server	2	1278	October 7, 2018
Trying to renew the certificate gives me error Help	21	2730	December 21, 2017
Urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] Help	5	2616	March 31, 2019
Certificate renewal error [solved] Help	3	5379	December 30, 2017

/directory access problem

Related topics