Getssl: your version of curl needs updating, it does not support SNI (multiple SSL domains on a single IP)


#1

firstly, hello to the community from me. i like this product of yours :slight_smile: !

now, back to the error message:
this happened after i created the ca-bundle.crt successfully and restarted apache etc.

i eventually restored the whole certs directory and this fixed it but but reruns of getssl resulted in the files being created in the right places but then had errors trying to copy from a tmp directory.

now it tells me, understandably so, that "getssl: Sign failed: “detail”: “Error creating new cert :: Too many certificates already issued for exact set of domains:” – how long do i wait before i can start testing it (getssl) again ?

SO I ASK: why am i having issues when creating the ca-bundle.crt ? my CURL version is very recent so the error was misleading.

AND, please, if i use the getssl script to copy the files, then it always tells me that the certificate on the server is different from mine (but everything works, anyway !

I hope all this isn’t too confusing, sorry about that.


#2

About the ‘too many certificates issued’ error: there’s a max of 5 duplicate certificates in a sliding window of 7 days.

But TESTING should be done against the STAGING server, not production!

For your error with getssl, you should get in touch with the developer of getssl I guess, because it’s a third party client, not the “official” Let’s Encrypt client.


#3

Hi,

Specifically for getssl it is generally it’s better to use the getssl site (https://github.com/srvrco/getssl/issues ). However, as the author of getssl I’ll reply here.

You have several issues here;

First is the “your version of curl needs updating”. You should ideally update the version of curl - what is your operating system ?

second - “Too many certificates already issued”. All the existing certs should be in the .getssl/domain folder - so you should be able to use your existing certs. For testing, you should use the staging server ( it was the default ACME server in your getssl.cfg file ). You can use the staging server now - you will need to wait a week for the live acme server for that exist list of domain names.

Third " why am i having issues when creating the ca-bundle.crt". Please can you use the --debug option, and paste the results in pastebin.com or email to getssl at serverco.com

fourth “if i use the getssl script to copy the files, then it always tells me that the certificate on the server is different from mine” Once it has uploaded the certificate to the server, and reloaded the server data, it then checks your web page to see if it’s using the cert you just obtained. The warning says it isn’t. Again, the full debug info should tell us why.


#4

Thanks, i have tried the staging server (after saving all my files first) and i can recreate the problem so yeah, i will get in touch with getssl support if i am to pursue this.


#5

Thanks for replying so quickly … cool, you are just the man i need now !

firstly, i am running CentOS 6.7 and i just upgraded to:
libcurl.x86_64 7.19.7-52.el6

second: done and thanks to the first responder. Got it !

third: this is the output after i created the ca-bundle.crt:

/getssl forum.drugs-and-users.org -f --debug

detected os type = linux

checking for required which … /usr/bin/which

checking for required openssl … /usr/bin/openssl

checking for required curl … /usr/bin/curl

checking for required nslookup … /usr/bin/nslookup

checking for required awk … /bin/awk

checking for required tr … /usr/bin/tr

checking for required date … /bin/date

checking for required grep … /bin/grep

checking for required sed … /bin/sed

checking for required sort … /bin/sort
getssl: your version of curl needs updating, it does not support SNI (multiple SSL domains on a single IP)

fourth: this is the run with the the ca-bundle specified and the warning:

./getssl forum.drugs-and-users.org -f
existing csr at /root/.getssl/forum.drugs-and-users.org/forum.drugs-and-users.org.csr does not have the same domains as the config - re-create-csr
creating domain csr - /root/.getssl/forum.drugs-and-users.org/forum.drugs-and-users.org.csr
Registering account
Verify each domain
Verifying forum.drugs-and-users.org
forum.drugs-and-users.org is already validated
Verification completed, obtaining certificate.
Certificate saved in /root/.getssl/forum.drugs-and-users.org/forum.drugs-and-users.org.crt
The intermediate CA cert is in /root/.getssl/forum.drugs-and-users.org/chain.crt
copying domain certificate to /etc/pki/tls/certs/forum.drugs-and-users.org.crt
copying private key to /etc/pki/tls/private/forum.drugs-and-users.org.key
copying CA certificate to /etc/pki/tls/certs/chain.crt
copying private key and domain cert pem to /etc/webmin/miniserv.pem
copying full key, cert and chain pem to /etc/pki/tls/certs/ca-bundle.crt
getssl: forum.drugs-and-users.org - certificate obtained but certificate on server is different from the new certificate

sorry about the site’s URL and business, we a Harm Reduction site.


#6

Then after using the LIVE (non staging area), after restoring the original files, if i run getssl i get this:

./getssl -a
Check all certificates
remote expires sooner than local … will attempt to upload from local
copying domain certificate to /etc/pki/tls/certs/forum.drugs-and-users.org.crt
copying private key to /etc/pki/tls/private/forum.drugs-and-users.org.key
copying CA certificate to /etc/pki/tls/certs/chain.crt
copying private key and domain cert pem to /etc/webmin/miniserv.pem
cp: cannot stat `/root/.getssl/forum.drugs-and-users.org/tmp/forum.drugs-and-users.org_k_C.pem’: No such file or directory
getssl: cannot copy /root/.getssl/forum.drugs-and-users.org/tmp/forum.drugs-and-users.org_k_C.pem to /etc/webmin/miniserv.pem


#7

Issue 1: I have a version of centos 6.8 (rather than 6.7) I can use for testing

CentOS release 6.8 (Final)
# curl -V 
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz 
# curl -I "https://raw.githubusercontent.com/srvrco/getssl/master/getssl"
HTTP/1.1 200 OK
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'

can you tell me what you have for those 2 curl commands ?

issue 2: solved above ( thanks @Osiris )

Issue 3: This looks to be the same as Issue 1: you can bypass this by using “-U” or “–nocheck” on the command line - I’d prefer to find the reason though, hence my questions above re: issue 1.

re the “_k_C.pem” not found issue - thanks. I see a bug there, I’ll issue a fix shortly.


#8

Bug fixed - you will need to update to the latest version.


#9

issue 1:

[root@forum ~]# curl -V
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.21 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

[root@forum ~]# curl -I "https://raw.githubusercontent.com/srvrco/getssl/master/getssl"
HTTP/1.1 200 OK
Content-Security-Policy: default-src ‘none’; style-src 'unsafe-inline’
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
ETag: "4312bad4752c150f382b254b0ec9b018d6075b4f"
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=300
X-Geo-Block-List:
X-GitHub-Request-Id: 2BF94B1B:0867:61ED46F:5828776D
Content-Length: 72960
Accept-Ranges: bytes
Date: Sun, 13 Nov 2016 14:23:42 GMT
Via: 1.1 varnish
Connection: keep-alive
X-Served-By: cache-sin6921-SIN
X-Cache: MISS
X-Cache-Hits: 0
X-Timer: S1479047021.774078,VS0,VE270
Vary: Authorization,Accept-Encoding
Access-Control-Allow-Origin: *
X-Fastly-Request-ID: 2acee6b7b5f8d31db58e4b2f8e8fc85b64e4ccf2
Expires: Sun, 13 Nov 2016 14:28:42 GMT
Source-Age: 0

issue 3 —>, this may be partly my fault as i built the PEM file myself by concatenating my key+cert. manually. I then tried to expand the getssl.cfg in my site-name-directory and that’s what got me confused … what i wanted to achieve was a totally automatic update when the certificate expires (i love automation) but i’m not there yet. any suggestions would be great !


#10

ok, testing now it now …


#11

i get the same issue with curl:

[root@forum ~]# rungetssl
Updated getssl from v1.81 to v1.82
these update notification can be turned off using the -Q option

Updates are;

2016-11-13 bug fix DOMAIN_KEY_CERT generation (1.82)

Check all certificates
remote expires sooner than local, attempting to upload from local
copying domain certificate to /etc/pki/tls/certs/forum.drugs-and-users.org.crt
copying private key to /etc/pki/tls/private/forum.drugs-and-users.org.key
copying CA certificate to /etc/pki/tls/certs/chain.crt
copying private key and domain cert pem to /etc/webmin/miniserv.pem
copying full pem to /etc/pki/tls/certs/ca-bundle.crt
certificate for forum.drugs-and-users.org is still valid for more than 30 days (until Feb 11 12:55:00 2017 GMT)
[root@forum ~]# rungetssl
getssl: curl needs updating, your version does not support SNI (multiple SSL domains on a single IP)

– as soon as it copies the newly created ca-bundle.crt … if i don’t use that bundle then at least it doesn’t complain about curl needing updating.


#12

interesting. So it works fist time

rungetssl
Updated getssl from v1.81 to v1.82
these update notification can be turned off using the -Q option

then, once you have run it and copied the newly created ca-bundle.crt it then gives the error

# rungetssl
getssl: curl needs updating, your version does not support SNI (multiple SSL domains on a single IP)

Does your path change at all ( echo $PATH ) and you possibly have 2 different version of curl ?

odd that copying a cert should change curl !! what’s in your getssl.cfg file ?


#13

automation should be fine on that - you just want the key and cert ( but not the CA cert ) in one file in a given location ? is that correct ?


#14

no, the path doesn’t change AND another odd thing is that when it copies the local files, i lose https integrity SO should i copy the working files back to .getssl/forum.-*/ so it doesn’t try to do that ?

expanding the options in the cfg is what started to get me confused.


#15

i need the CA cert too (for Android’s browsers to work properly with my site)


#16

Part of me says the logical thing is to go back to a working version of the getssl.cfg and lets work forwards from there.

I would store them in .getssl/forum.-*/ (or some other suitable location like /etc/ssl) to maintain https integrity - yes.


#17

that’s exactly what i did ! … and it’s working. don’t worry, i can always copy the files manually if i need to.


#18

For all (including the CA cert) then you should just need to define the location in DOMAIN_PEM_LOCATION="/path/to/you/fullcert.pem"


#19

yeah, i expect that too. here are the lines i just commented out. i might just leave it alone and do the copies manually unless you have any more ideas.

#DOMAIN_CERT_LOCATION="/etc/pki/tls/certs/forum.drugs-and-users.org.crt"
#DOMAIN_KEY_LOCATION="/etc/pki/tls/private/forum.drugs-and-users.org.key"
#CA_CERT_LOCATION="/etc/pki/tls/certs/chain.crt"
#DOMAIN_KEY_CERT_LOCATION="/etc/webmin/miniserv.pem"
#DOMAIN_PEM_LOCATION="/etc/pki/tls/certs/ca-bundle.crt"

Note: ca-bundle.crt already existed in the certs directory so maybe i should change it’s name ?


#20

Not sure what the “strong text” is on the end there - maybe the forum here
can you edit and quote it in three ` type quotes ?