Having trouble renewing with ZeroSSL - tls handshake error

My domain is: myjapanvideo.webcrossing.com

My web server is (include version): Apache-compatible but not Apache (not well known server)

The operating system my web server runs on is (include version): Ubuntu 10.10

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, but it’s part of this unusual server, so not well known.

I used ZeroSSL to create a cert 80 days ago and I need to renew over the next 10 days. I just tried once and was able to do HTTP verification and got the cert, but I apparently installed in incorrectly, so I tried again.

I tried two more times and got new .well-known/acme-challenge files, which I installed and verified access before going on to the challenge. But when I go on to the challenge I got the message twice now:

“remote error: tls: handshake failure”

Did I mess something up by incorrectly installing the new cert so now it can’t handshake to verify the new cert, or something like that.

Help. :unamused:

Thanks,

doug

I fixed it. I needed to

  1. go into the shell,
  2. halt the server,
  3. manually edit the settings file that indicated that the server was secure (it no longer was since I messed up installing the new cert).
  4. start the server again
  5. redo everything with ZeroSSL from scratch, this time installing the cert correctly
  6. change the server settings to require a secure connection again.

Now it’s back to normal and secure. And I’ve added notes to myself to remind me what to do right in another 90 days.

Whew.

One more thing - if I go to https://www.digicert.com/help/ and check the cert for myjapanvideo.webcrossing.com it all checks out except for the last part where it says:

SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.


How important is that? In my attempt above when I tried splitting the cert so I put the first block into one setting and the second block in the “chain certificate” field on my server I ended up with an invalid cert and everything broke and I had to start over again.

Thanks,

doug

Hi @douglerner

that's bad.

But general:

Then you should use an own client, not ZeroSSL. Check, if you can use certbot-auto, perhaps with the certonly option. So you can update the certificate automatic and install it manual.

Now your domain check is ready ( https://check-your-website.server-daten.de/?q=myjapanvideo.webcrossing.com ):

Your certificate is good:

CN=myjapanvideo.webcrossing.com
	08.05.2019
	06.08.2019
expires in 90 days	myjapanvideo.webcrossing.com - 1 entry

and your connection is secure.

Domainname Http-Status redirect Sec. G
http://myjapanvideo.webcrossing.com/
45.79.9.68 302 https://myjapanvideo.webcrossing.com/ 0.286 A
https://myjapanvideo.webcrossing.com/
45.79.9.68 200 1.556 B

But your chain is incomplete, that may be the problem digicert reports:

Chain - incomplete	
	1	CN=myjapanvideo.webcrossing.com

You have to send two certificates, your own and the intermediate certificate.

See my own domain (the main domain of the tool https://check-your-website.server-daten.de/?q=server-daten.de ):

Chain (complete)	
	1	CN=*.server-daten.de
	2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

That's required.

Where do you include the cert.pem file? Perhaps use (simple) the fullchain.pem instead, that file contains both certificates.

PS: Running the tool of digicert, yep, the incomplete chain is the problem.

Your site:

SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

Checking www.server-daten.de it shows the chain and the intermediate certificate.

Thanks for your reply.

Even though I have shell access, the web server itself is very non-standard. Plus the Linux distro is quite old (10.10). I’m working on upgrading that to 16.04 right now, but until that is done certbot-auto won’t work. I tried that in the past.

As far as where the certs are, in my non-standard web server I have a control panel for this. There are three boxes: one for the cert, one for the domain key, and one for the chain cert.

In my first attempt (this discussion opener) I tried splitting the cert (there appeared to be 2) and putting the first one in the cert box and the second one in the chain cert box. But that turned out to be an invalid cert that way and it became a big mess and I had to start from scratch.

I don’t have a cert.perm file. With ZeroSSL I just have the cert that I copied out of the last screen. Maybe if I downloaded it would have been a cert.perm file. I’m not sure.

1 Like

I tried it again and it worked! Yay!

All I did this time was what I thought I tried the first time, but must have done it in error:

  1. I put the first cert in the cert panel.
  2. I put the 2nd cert in the chain cert panel.
  3. I put the domain key in the panel for that.

And this time it works and digicert reports all is well!

Whew.

Thanks,

doug

1 Like

Happy to read that it had worked.

Yep, that was my idea. It's a standard problem dealing with certificates. There should be a solution. And now

Chain (complete)	
	1	CN=myjapanvideo.webcrossing.com
	2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US

your chain is complete.

It's not only a problem of online tests. Some Apple devices don't connect if the intermediate certificate is missing.

PS: There is one problem.

Old connection: SHA1 as Hash Algorithm is deprecated. Switch to SHA256 or SHA384. If your certificate has SHA256, check if there is an old Firewall or something else, that supports only SHA1. Update that component.

Your certificate has a SHA256 hash. But there is an old component between, that doesn't understand SHA256.

Thanks. I’ll check out. I know we are using the latest OpenSSL with the latest codes, etc. But I’ll check other part in-between. Thanks.

doug

How can I see that SHA1 message reported?

Thanks,

doug

Checked via https://check-your-website.server-daten.de/?q=myjapanvideo.webcrossing.com

is you can run a shell on server, isn’t acme.sh on it be better then zerossl web version, it would handle renew by itself

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.