ERROR about Issue SSL let's Encrypt in cPanel

luuvuong · January 8, 2018, 3:51am

Hi,
I have a problem about issue SSL for domain by Let’s Encrypt . When I try issue SSL Let’s Encrypt via tool Let’s Encrypt™ SSL in cPanel then i received below error:

There was a problem processing your request

Error issuing certificate
Failed to issue certificate
Error during certificate generation: Post https://acme-v01.api.letsencrypt.org/acme/new-cert: EOF
Go Back

In log cPanel i received below error:

[2018-01-08 10:32:52 +0700] warn [cpaneld] The subprocess (cpanel (cpanel)) exited with an error: The subprocess ended prematurely because it received the “ALRM” (14) signal. at /usr/local/cpanel/Cpanel/Server/Handlers/SubProcess.pm line 239.
Cpanel::Server::Handlers::SubProcess::_report_subprocess_errors(Cpanel::Server::Handlers::SubProcess=HASH(0x2e85f18)) called at /usr/local/cpanel/Cpanel/Server/Handlers/SubProcess.pm line 97
Cpanel::Server::Handlers::SubProcess::handler(Cpanel::Server::Handlers::SubProcess=HASH(0x2e85f18), “subprocess_name”, “cpanel (cpanel)”, “subprocess_read_handle”, IO::Handle=GLOB(0x2ea0848), “subprocess_write_handle”, IO::Handle=GLOB(0x2e7da38), “api_type”, …) called at cpsrvd.pl line 6658
cpanel::cpsrvd::cpHandler(“app”, “cpanel”, “document”, “./frontend/paper_lantern/letsencrypt/letsencrypt.live.cgi”) called at cpsrvd.pl line 2400
cpanel::cpsrvd::dodoc_cpaneld() called at cpsrvd.pl line 1640
cpanel::cpsrvd::dodoc(HASH(0x13412c0)) called at cpsrvd.pl line 1424
cpanel::cpsrvd::handle_one_connection(6) called at cpsrvd.pl line 873
cpanel::cpsrvd::script() called at cpsrvd.pl line 321

Please support debug problem help me!
Thanks

_az · January 8, 2018, 3:54am

Please get in touch with us via the technical support form and remember to include the support logs as prompted. This forum is not a support channel for our plugin !

luuvuong · January 8, 2018, 4:00am

Hi ~az,
Thanks, i created ticket Technical Support in https://letsencrypt-for-cpanel.com/contact
Please check and support help me!
Thanks

luuvuong · January 8, 2018, 4:04am

Hi,
You can let me know all API connect to Let’s Encrypt to issue SSL
We want check network connect from my server to your server issue SSL Let’s Encrypt

Thanks

_az · January 8, 2018, 4:06am

Hi Luu,

https://acme-v01.api.letsencrypt.org is the ONLY external server that the plugin connects to. You could test connectivity by running:

curl -i https://acme-v01.api.letsencrypt.org/directory

I have responded to your email with a follow-up question, btw.

luuvuong · January 8, 2018, 4:15am

Hi _az,
I received email from you
I will response
Thanks

_az · January 8, 2018, 10:13am

@cpu could we please get your assistance?

I am not able to get to the bottom of a seemingly network-related issue with @luuvuong .

I have written a reproduction program, which is at the bottom of this post.

It seems like large request bodies are not making it to Boulder via Akamai in south east Asia.

Their output to the program is as follows, and I can’t repro on any other networks, and they can send large request bodies to other hosts (cpanel.com, example.org) just fine.

If we send with a small request body (e.g. 1K) it works OK.

[root@webhost-0104 ~]# ./network-test
Trying against https://cpanel.com with 50012 bytes body
        [1515405940593163588] Got conn to 208.74.121.58:443
        [1515405940593546450] Wrote request
        [1515405941274465754] TTFB
        [1515405941275096792] Response: 200 OK (24707 bytes): [PCFET0NUWVBFIGh0bWw+CjxodG1sIGxhbmc9ImVuIj4KCiAgPGhlYWQ+CiAgICA8bWV0YSBjaGFyc2V0PSJ1dGYtOCI+CiAgICA8bWV0YSBodHRwLWVxdWl2PSJYLVVBLUNvbQ==]...

Trying against https://example.org with 50012 bytes body
        [1515405941862972818] Got conn to 93.184.216.34:443
        [1515405941863449239] Wrote request
        [1515405942413049915] TTFB
        [1515405942413448127] Response: 200 OK (1270 bytes): [PCFkb2N0eXBlIGh0bWw+CjxodG1sPgo8aGVhZD4KICAgIDx0aXRsZT5FeGFtcGxlIERvbWFpbjwvdGl0bGU+CgogICAgPG1ldGEgY2hhcnNldD0idXRmLTgiIC8+CiAgICA8bQ==]...

Trying against https://127.0.0.1:2083 with 50012 bytes body
        [1515405942421597395] Got conn to 127.0.0.1:2083
        [1515405942421896672] Wrote request
        [1515405942462921579] TTFB
        [1515405942463802530] Response: 401 Access Denied (42225 bytes): [CjwhRE9DVFlQRSBodG1sPgo8aHRtbCBsYW5nPSJlbiIgZGlyPSJsdHIiPgo8aGVhZD4KICAgIDxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dA==]...

Trying against https://acme-v01.api.letsencrypt.org/acme/new-cert with 50012 bytes body
        [1515405942604677618] Got conn to 104.111.200.137:443
        [1515405942604864840] Wrote request
        [1515405972463974115] Experienced request error: Post https://acme-v01.api.letsencrypt.org/acme/new-cert: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

Trying against https://acme-staging.api.letsencrypt.org/acme/new-cert with 50012 bytes body
        [1515405972590767451] Got conn to 104.111.200.137:443
        [1515405972590974514] Wrote request
        [1515406002464191275] Experienced request error: Post https://acme-staging.api.letsencrypt.org/acme/new-cert: net/http: request canceled (Client.Timeout exceeded while awaiting headers)

package main

import (
	"bytes"
	"crypto/tls"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net/http"
	"net/http/httptrace"
	"os"
	"strconv"
	"strings"
	"time"
)

func main() {
	bufSize, _ := strconv.Atoi(os.Getenv("NETWORK_TEST_SIZE"))
	if bufSize == 0 {
		bufSize = 500
	}

	buf, _ := json.Marshal(map[string]string{
		"dummy": strings.Repeat("x", bufSize*100),
	})

	urls := []string{
		"https://cpanel.com",
		"https://example.org",
		"https://127.0.0.1:2083",
		"https://acme-v01.api.letsencrypt.org/acme/new-cert",
		"https://acme-staging.api.letsencrypt.org/acme/new-cert",
	}

	for _, u := range urls {
		hit(u, buf)
	}
}

func hit(u string, payload []byte) {
	defer fmt.Println()

	cl := &http.Client{
		Timeout: 30 * time.Second,
		Transport: &http.Transport{
			TLSClientConfig: &tls.Config{
				InsecureSkipVerify: true,
			},
		},
	}

	req, err := http.NewRequest("POST", u, bytes.NewReader(payload))
	if err != nil {
		panic(err)
	}

	trace := &httptrace.ClientTrace{
		GotConn: func(connInfo httptrace.GotConnInfo) {
			fmt.Printf("\t[%d] Got conn to %s\n", time.Now().UnixNano(), connInfo.Conn.RemoteAddr())
		},
		WroteRequest: func(i httptrace.WroteRequestInfo) {
			fmt.Printf("\t[%d] Wrote request\n", time.Now().UnixNano())
		},
		Got100Continue: func() {
			fmt.Printf("\t[%d] Got 100-continue\n", time.Now().UnixNano())
		},
		GotFirstResponseByte: func() {
			fmt.Printf("\t[%d] TTFB\n", time.Now().UnixNano())
		},
	}
	req = req.WithContext(httptrace.WithClientTrace(req.Context(), trace))

	fmt.Printf("Trying against %s with %d bytes body\n", u, len(payload))

	resp, err := cl.Do(req)
	if err != nil {
		fmt.Printf("\t[%d] Experienced request error: %v\n", time.Now().UnixNano(), err)
		return
	}

	defer resp.Body.Close()

	var buf []byte
	if buf, err = ioutil.ReadAll(resp.Body); err != nil {
		fmt.Printf("\t[%d] Experienced read error: %v\n", time.Now().UnixNano(), err)
	}

	fmt.Printf("\t[%d] Response: %s (%d bytes): [%v]...\n", time.Now().UnixNano(),
		resp.Status, len(buf), base64.StdEncoding.EncodeToString(buf[:100]))

}

cpu · January 8, 2018, 2:01pm

Hi @_az,

Thanks for tagging me (and the reproduction program! that's great!)

I will pass this to our operations team so they can contact Akamai support to see if there's something that needs to change in our configuration or if this is an issue on the CDN-side that needs resolving.

luuvuong · January 8, 2018, 4:05pm

Hi cpu,
Please support for me!
Thanks

cpu · January 8, 2018, 4:07pm

Hi @luuvuong, please be patient Our operations team will be working on this problem and will reply on-thread if there is anything they need from you or if there are any updates to provide.

Thanks!

luuvuong · January 8, 2018, 4:12pm

Hi @cpu, sure! Thanks so much!

jillian · January 8, 2018, 11:53pm

After looking through the available diagnostic tools available from the CDN, I have not been able to determine the problem. I have opened a case with our CDN to look further into this and will report any updates and findings here.

luuvuong · January 9, 2018, 3:56am

Hi jillian,
Thank for reply!
Please notify to me when you had more infor

_az · January 10, 2018, 10:43am

Hi @jillian,

An additional data point that may help Akamai pin down the problem:

I have provided @luuvuong with a different IP (via /etc/hosts) to use to talk to acme-v01 (specifically 23.49.216.139, an Akamai POP in Australia), and they report that this restores the ability to send large request bodies.

Hopefully this helps narrow down any CDN issues!

jillian · January 10, 2018, 6:51pm

@_az thanks for providing a work around while we look for the bigger problem. I’ve asked @luuvuong in a DM for his ip address and what region is host is located in to provide the CDN with a narrower area. Are you able to provide an ip address in SE Asia that experiences this problem where large request bodies fails?

_az · January 10, 2018, 7:16pm

Sure, sent you a DM.

jillian · January 10, 2018, 7:34pm

Thanks @_az I have forwarded the information along.

@luuvuong, will you please run the following command from your hosts that were experience problems with large request bodies curl -I https://acme-v01.api.letsencrypt.org -H "Pragma: akamai-x-cache-on, akamai-x-get-cache-key, akamai-x-get-true-cache-key, akamai-x-get-request-id" and provide the results here. Please make sure that you when run these commands you remove or comment the workaround in your /etc/hosts. The results of this command will provide information to the CDN to help diagnose the problem.

luuvuong · January 11, 2018, 1:44am

Hi Jillian,

I already command line above which you provide. I send result bellow when run it. Sure i already remove in /ect/hosts

HTTP/1.1 200 OK
Server: nginx
Content-Type: text/html
Content-Length: 2175
Last-Modified: Tue, 13 Oct 2015 15:42:36 GMT
ETag: "561d266c-87f"
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Accept-Ranges: bytes
X-Akamai-Request-ID: 11f39561.131b538a
Expires: Thu, 11 Jan 2018 01:40:50 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 11 Jan 2018 01:40:50 GMT
X-Cache: TCP_MISS from a184-28-218-215.deploy.akamaitechnologies.com (AkamaiGHost/9.1.4.4-21488373) (-)
X-Cache-Key: S/D/981/432721/000/origin-2pvah7paghah4iu6P.api.letsencrypt.org/
X-True-Cache-Key: /D/000/origin-2pvah7paghah4iu6P.api.letsencrypt.org/
Connection: keep-alive

jillian · January 11, 2018, 6:05pm

Thank you for providing your results. I have passed them onto our CDN to examine. I will keep you updated with any more requests or results.

jillian · January 22, 2018, 8:38pm

@luuvuong Apologies for a lag in getting back to you.

I would also like to see the POST request. You can do this by adding -X GET after the curl -I part of the command

You can also modify small script written by @_az to include the Pragma headers and then run the updated script.