Domain finalization gets in to an endless loop

Hello,

I'm atempting to renew several of my domains but mine right now as primary. My goal is to have both RSA 4096 and EC-256 keys for all the domains. My domain the one right now is davemehler.com and I'm using the latest acme.sh client. I've tried the new command both with and without the --force option. In both cases the output gets to the final verification then loops for 15 seconds, atempts another verification and repeats. I've linked to my dropbox as the output mostly what I just said the repeating is quite substancial. I'd appreciate any help.

Thanks.
Dave.

2 Likes

Hi @dmehler51. and welcome to the LE community forum :slight_smile:

You aren't requesting any certs from LE, so I don't know exactly how to help you.
[Sat Jul 9 18:46:35 EDT 2022] Using CA: https://acme.zerossl.com/v2/DV90

Show us the output of:
acme.sh --list
[and don't post it via dropbox]

5 Likes

@Rudy Thanks for your reply. It got me thinking and looking in another
direction, and apparently I upgraded and was bit by the zerossl.com CA
switch for acme.sh 3.x and possibly saved though it didn't feel that
way by the newly added CAA record for my domain. I would recommend
that the Secure a Website or Domain with Let's Encrypt and acme.sh | Linode
page be edited to contain a notation on 3.x and the change in CA so
that users atempting to use that document won't get bit. Here's the
information for completeness sake.

#acme.sh --version

v3.0.5
#acme.sh --list
Main_Domain KeyLength SAN_Domains CA Created
Renew
davemehler.com "4096" *.davemehler.com ZeroSSL.com
davemehler.com "ec-256" *.davemehler.com ZeroSSL.com

#acme.sh --set-default-ca --server letsencrypt
[Sun Jul 10 06:02:44 EDT 2022] Changed default CA to:
https://acme-v02.api.letsencrypt.org/directory

That's looking much more normal so I tried a renew.

#acme.sh --issue --dns dns_linode_v4 --ocsp-must-staple --keylength
4096 --dnssleep 90 -d davemehler.com -d .davemehler.com
[Sun Jul 10 06:05:38 EDT 2022] Using CA:
https://acme-v02.api.letsencrypt.org/directory
[Sun Jul 10 06:05:38 EDT 2022] Multi
domain='DNS:davemehler.com,DNS:
.davemehler.com'
[Sun Jul 10 06:05:38 EDT 2022] Getting domain auth token for each domain
[Sun Jul 10 06:05:40 EDT 2022] Getting webroot for domain='davemehler.com'
[Sun Jul 10 06:05:40 EDT 2022] Getting webroot for domain='*.davemehler.com'
[Sun Jul 10 06:05:40 EDT 2022] Adding txt value:
nU0JuDcD5_OQwpOY1KtoIo-j91iiWbdSMnDQQV7ZuZo for domain:
_acme-challenge.davemehler.com
[Sun Jul 10 06:05:40 EDT 2022] Using Linode
[Sun Jul 10 06:05:40 EDT 2022] Domain resource successfully added.
[Sun Jul 10 06:05:40 EDT 2022] The txt record is added: Success.
[Sun Jul 10 06:05:40 EDT 2022] Adding txt value:
nSOcf4TMtO5OqGknWjgBF5HzhpMHLe-bduPuZdU4qlw for domain:
_acme-challenge.davemehler.com
[Sun Jul 10 06:05:40 EDT 2022] Using Linode
[Sun Jul 10 06:05:41 EDT 2022] Domain resource successfully added.
[Sun Jul 10 06:05:41 EDT 2022] The txt record is added: Success.
[Sun Jul 10 06:05:41 EDT 2022] Sleep 90 seconds for the txt records to
take effect
90 89 88 87 86 85 84 83
82 81 80 79 78 77 76 75 74
73 72 71 70 69 68 67 66 65
64 63 62 61 60 59 58 57 56
55 54 53 52 51 50 49 48 47
46 45 44 43 42 41 40 39 38
37 36 35 34 33 32 31 30
29 28 27 26 25 24 23 22 21
20 19 18 17 16 15 14 13 12
11 10 9 8 7 6 5 4 3 2
1 0[Sun Jul 10 06:07:14 EDT 2022] Verifying: davemehler.com
[Sun Jul 10 06:07:14 EDT 2022] It seems the CA server is busy now,
let's wait and retry. Sleeping 1 seconds.
1 0[Sun Jul 10 06:07:17 EDT 2022] Pending, The CA is
processing your order, please just wait. (1/30)
2 1 0[Sun Jul 10 06:07:20 EDT 2022] Success
[Sun Jul 10 06:07:20 EDT 2022] Verifying: *.davemehler.com
[Sun Jul 10 06:07:20 EDT 2022] Pending, The CA is processing your
order, please just wait. (1/30)
2 1 0[Sun Jul 10 06:07:24 EDT 2022] Success
[Sun Jul 10 06:07:24 EDT 2022] Removing DNS records.
[Sun Jul 10 06:07:24 EDT 2022] Removing txt:
nU0JuDcD5_OQwpOY1KtoIo-j91iiWbdSMnDQQV7ZuZo for domain:
_acme-challenge.davemehler.com
[Sun Jul 10 06:07:24 EDT 2022] Using Linode
[Sun Jul 10 06:07:24 EDT 2022] Domain resource successfully deleted.
[Sun Jul 10 06:07:24 EDT 2022] Removed: Success
[Sun Jul 10 06:07:24 EDT 2022] Removing txt:
nSOcf4TMtO5OqGknWjgBF5HzhpMHLe-bduPuZdU4qlw for domain:
_acme-challenge.davemehler.com
[Sun Jul 10 06:07:24 EDT 2022] Using Linode
[Sun Jul 10 06:07:25 EDT 2022] Domain resource successfully deleted.
[Sun Jul 10 06:07:25 EDT 2022] Removed: Success
[Sun Jul 10 06:07:25 EDT 2022] Verify finished, start to sign.
[Sun Jul 10 06:07:25 EDT 2022] Lets finalize the order.
[Sun Jul 10 06:07:25 EDT 2022]
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/625234656/105473414806'
[Sun Jul 10 06:07:26 EDT 2022] Downloading cert.
[Sun Jul 10 06:07:26 EDT 2022]
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03f8d585e1bcbbacc2201d559bb1dee52d5d'
[Sun Jul 10 06:07:26 EDT 2022] Cert success.
-----BEGIN CERTIFICATE-----
MIIGRzCCBS+gAwIBAgISA/jVheG8u6zCIB1Vm7He5S1dMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA3MTAwOTA3MjVaFw0yMjEwMDgwOTA3MjRaMBkxFzAVBgNVBAMT
DmRhdmVtZWhsZXIuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA
pPoGAINz8Vyw7cl479AxT4cMmQdL2wFoBzvXwMgkmalPSio0SmjEmoSfiUoiUG70
fQwchPKJ8FJsncmun8pn1DFpp2S4ziWg/7FKvojJXmmlYh7VzcjhD4Qf6KM5rpy/
OFZZNSmrfbbhmfnqQJjqpzfOPtj3ZgNNjrUAlJB2qvndlBQW+s8jQGG0YrVnNWuY
ZnxSRn8Dm18BvYiVVoGnDdiI0KyZhoEdZYvYkmOs2kznmlTWBxkxNfDUHNkNEWQf
Rv1SkVXMOpOf+rsiEjVtXm7sMre43gf6/3pZ4JwhA9nFDqnSnUlL3zb5Jdg5/vOZ
Db2OiC1RzD4LGPeJ3k/HYw582jvxuJPOrCMHPtoAjjaNesajiQGlSk4x3YGMzeyd
m0CkRpvdWNV6vo6WYK2Wk9+F6dU/JsgLo5Ag1GbKr3Aemvh5HTkEPllBe9R5PHFz
ju3QOEbtUVa41QTCRFU6nf+bR/MpjIugaXAeYaZVbv5eM8Z/pOYRN8kq7aK6kfhd
JDjp9wkoQPXPuT+L5SCjiYYEyjapp0JBBVTbWA0oPKZF0/F6UBCo+ZYgDSGS0wKL
NmefZuzl7Y4eF4stypL9EPjrg7tVLIdgLi0Z6xm7X3Z6/RGfDY14hu/J8zmnp7p0
yHNeZHfAQ0cnM9HBx5NG+3r2zkl5mbgE1mOByN+tILcCAwEAAaOCAm4wggJqMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYD
VR0TAQH/BAIwADAdBgNVHQ4EFgQUSjqB3hOWJeyr90uTL0yaOh5vIgMwHwYDVR0j
BBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsG
AQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6
Ly9yMy5pLmxlbmNyLm9yZy8wKwYDVR0RBCQwIoIQKi5kYXZlbWVobGVyLmNvbYIO
ZGF2ZW1laGxlci5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB
AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEE
BgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBGpVXrdfqRIDC1oolp9PN9ESxBdL79SbiF
q/L8cP5tRwAAAYHnlANOAAAEAwBHMEUCIGZgBnFLS2PgcsmGniRdlfsfdRqkbyQl
Q7Qx/v4wV85BAiEAn4/MyN/9XLrsp4BRGIzSNbC6210doE4QDcu338u+meIAdgDf
pV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAYHnlAUaAAAEAwBHMEUC
ID+7JKXTOS3WO4m5F/XaAfMlz2btNU0e15L7PQKI2kgrAiEArrUr2P5RriOUwkj4
/vIuC+Sd2s2UDyItI9h2v+S33zowEQYIKwYBBQUHARgEBTADAgEFMA0GCSqGSIb3
DQEBCwUAA4IBAQBA04Xg9h4I9WVF73ciWYzJz3lRHte0PYxbBTbpCUTIRC4cSX5w
4zoONqffIe6opTLnWXIeKwABFQLLGYYigr3Kq4hRO8xsLyYuNRJevyKu6kSOVaBm
9gAXqkVCUA2KkPNw5E0aovQg1g0u7YqC2aFiQ2By/EuXOxlDaAnbqYgVjb6Tjfmn
69c7YhVuOXaJWmtUMyI43O1QaUxJQQhdTf5NHDcSzF612F+7nxxHEzHVcFWD5tSc
EUcMkyplUQJTwV+7332o2zih/9SDRuUKjrUJIdP91XTEHXRvNbHLVPDlyaUKV7W/
7kWzTYvpz4x4NQJCDxjt97WKQb0mX+d8/Fne
-----END CERTIFICATE-----
[Sun Jul 10 06:07:26 EDT 2022] Your cert is in:
/root/.acme.sh/davemehler.com/davemehler.com.cer
[Sun Jul 10 06:07:26 EDT 2022] Your cert key is in:
/root/.acme.sh/davemehler.com/davemehler.com.key
[Sun Jul 10 06:07:27 EDT 2022] The intermediate CA cert is in:
/root/.acme.sh/davemehler.com/ca.cer
[Sun Jul 10 06:07:27 EDT 2022] And the full chain certs is there:
/root/.acme.sh/davemehler.com/fullchain.cer

Excellent! That went a lot better. I do have a few questions regarding the lines

[Sun Jul 10 06:07:27 EDT 2022] The intermediate CA cert is in:
/root/.acme.sh/davemehler.com/ca.cer
[Sun Jul 10 06:07:27 EDT 2022] And the full chain certs is there:
/root/.acme.sh/davemehler.com/fullchain.cer

What are those and the differences between them? Which do I need to do
ocsp stapling and if the fullchain what role does the other play? My
web server is Apache 2.4.5x I believe.

I settled on EC-256 because my s7 phone (running android 10 at the
time of it's passing) was only able to access the ECC cert Prime256V1
I do not know and have not been able to find out what my current phone
my s20 running Android 12 can support. Can you help on that? I'd like
to upgrade my ECC setup with these certificates if possible.
Thanks.
Dave.

The default chain for Let's Encrypt uses 2 intermediate certs in addition to your leaf (or server) cert. The ca.cer contains just the 2 intermediate certs. The fullchain.cer contains your leaf and the 2 intermediates. For Apache, it depends on your version which files you use. But, modern Apache versions use just the fullchain.crt and the private key file. See this too

You need to review Apache docs for configuring stapling. You then set the option for stapling in the cert although I don't know how in acme.sh off-hand.

Did you just add an AAAA record to your DNS? Because connections using IPv6 fail and that will prevent getting a cert since Let's Encrypt uses the AAAA IP address when present. You should correct your IPv6 routing or remove the AAAA record if not possible.

nslookup davemehler.com
A address   : 66.228.47.34
AAAA Address: 2600:3c03::f03c:91ff:fedf:6fc

curl -I4 -m10 http://davemehler.com  (4 uses IPv4)
HTTP/1.1 301 Moved Permanently
Date: Sun, 10 Jul 2022 12:16:11 GMT
Server: Apache
Location: https://davemehler.com/
(other headers omitted)

curl -I6 -m10 http://davemehler.com  (6 uses IPv6)
curl: (28) Failed to connect to davemehler.com port 80 after 5002 ms: Connection timed out
4 Likes

Thanks. I'm having other issues with IPv6 on this server so I've
removed the AAAA records from the setup.

I believe I've got everything right, but I'm still getting a no
response sent message.

openssl s_client -connect davemehler.com:443 -status -servername davemehler.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = davemehler.com
verify return:1
OCSP response: no response sent

1 Like

image

See: How To Configure OCSP Stapling on Apache and Nginx | DigitalOcean

TL;DR: For Apache, use: SSLUseStapling on

5 Likes

@dmehler51
Any news?

3 Likes

@rg305 Thanks, it's still not working. I've tried this command:

openssl s_client -connect davemehler.com:443 -status 2> /dev/null |
grep -A 17 'OCSP response:' | grep -B 17 'Next Update'

got no output at all. I can connect to the server but it doesn't say
anything about stapling. I then did a check on SSL Server Test (Powered by Qualys SSL Labs) and
I got this in the results:

This server certificate supports OCSP must staple but OCSP response is
not stapled.

For certificate #1
OCSP Must Staple
Supported, OCSP response not stapled
Revocation information
OCSP
OCSP: http://r3.o.lencr.org
Revocation status
Good (not revoked)

For certificate #2:
OCSP Must Staple
Supported, OCSP response not stapled
Revocation information
OCSP
OCSP: http://r3.o.lencr.org
Revocation status
Good (not revoked)

Lastly neither certificate gives me a chain issue.

Thanks.
Dave.

1 Like

Do you add the line?:

3 Likes

@rg305 Thank you for your reply. I do indeed have the

SSLUseStapling on

line in my configuration. Here it is.

Thanks.
Dave.

#cat httpd-ssl.conf

SSLProtocol +TLSv1.3 +TLSv1.2
SSLOpenSSLConfCmd Curves X25519:prime256v1
SSLOpenSSLConfCmd ECDHParameters prime256v1
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLCompression          off
SSLInsecureRenegotiation Off
Header always set Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload"
### OCSP stapling config
SSLStaplingCache "shmcb:logs/ssl_stapling(128000)"
SSLStaplingResponseMaxAge 900
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Listen 172.16.21.4:443 https

That was my ssl global configuration file. Here's my domain-specific
port 80 and 443 configuration file.

#cat davemehler.com.conf

# The davemehler.com http virtual host
<VirtualHost *:80>
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

# The davemehler.com https virtual host
<VirtualHost *:443>
ServerAdmin webmaster@davemehler.com
ServerName davemehler.com
ServerAlias www.davemehler.com
DocumentRoot "/usr/vhosts/davemehler.com/htdocs/"

ErrorLog /usr/vhosts/davemehler.com/logs/error.log
CustomLog /usr/vhosts/davemehler.com/logs/access.log combined
ExpiresActive on
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType image/webp "access plus 1 month"

# TLS Configuration
# RSA
SSLEngine on
SSLCertificateFile "/usr/local/etc/ssl/acme.sh/davemehler.com/fullchain.crt"
SSLCertificateKeyFile
"/usr/local/etc/ssl/acme.sh/davemehler.com/private/server.key"

# ECDSA
SSLCertificateFile "/usr/local/etc/ssl/acme.sh/davemehler.com_ecc/fullchain.crt"
SSLCertificateKeyFile
"/usr/local/etc/ssl/acme.sh/davemehler.com_ecc/private/server-ec256.key"

# Support OCSP Stapling
SSLCACertificateFile "/usr/local/etc/ssl/acme.sh/davemehler.com/cacert.crt"
SSLUseStapling on

ErrorDocument 404 /errordocs/error404.html
    ErrorDocument 500 /errordocs/error50x.html
    ErrorDocument 501 /errordocs/error50x.html
    ErrorDocument 502 /errordocs/error50x.html
    ErrorDocument 503 /errordocs/error50x.html
    ErrorDocument 504 /errordocs/error50x.html

    <Files "error404.html">
        <If "-z %{ENV:REDIRECT_STATUS}">
            RedirectMatch 404 ^/errordocs/error404.html$
        </If>
    </Files>

    <Files "error50x.html">
        <If "-z %{ENV:REDIRECT_STATUS}">
            RedirectMatch 404 ^/errordocs/error50x.html$
        </If>
    </Files>

# Uncomment the below 2 lines when deploy http2
H2Direct on
Protocols h2 h2c http/1.1

<Directory "/usr/vhosts/davemehler.com/htdocs/">
 Options FollowSymLinks
SSLRequireSSL
AllowOverride None
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI "\.(?:gif|jpe?g|png)$" no-gzip
Require all granted
</Directory>
</VirtualHost>
1 Like

#openssl s_client -connect davemehler.com:443 -status -servername davemehler.com
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = davemehler.com
verify return:1
OCSP response: