Lets encrypt issue + ioncube


So after the Let's Encrypt issue (certificates expired) im having issues with creating a proper certificate, I tried reissuing a new lets encrypt certificate, i even paid for the positive ssl but i still cant get it to work.

Here is my problem

  1. I have PHP applications encoded with Ioncube on many different servers.

  2. I use the external key method on Ioncube to encode my PHP Apps

  3. Since the 30th of Sept i am getting the following error
    AH01071: Got error 'PHP message: PHP Warning: main(): SSL operation failed with code 1. OpenSSL Error messages:\nerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in on line 0PHP message: PHP Warning: main(): Failed to enable crypto in on line 0PHP message: PHP Fatal error:
    The file /var/www/vhosts/example.com/httpdocs/index.php could not be decoded as an encoding key was not found. in Unknown on line 0'

  4. This is because the runtime path to the encoding key is on https:// example2.com/folder/file.jpg and it is not accessible, although from the browser it is accessible

  5. I could not even make a GET request through postman because i was getting an error "certificate expired". However after the latest update it works on Postman

2 days passed and i still cant get the SSL to work properly on the example2.com domain where i have the encoding keys. Which makes all of the apps not to work.

Is there any workaround to this? I tried many SSL tests and they seem fine, but Ioncube loader still can not read the encoding key because of the ssl certificate.

I'm sorry, but I don't really follow: if even your PositiveSSL certificate didn't work, howcome is this a Let's Encrypt issue?

I am not quite sure if Positive SSL worked or not yet, because i only tried it for 5 minutes and switched back to LetsEncrypt.

But Positive SSL might also be using same protocols/technologies as LetsEncrypt and the issue is wider than it seems.

It seems like curl GET requests on the domain that are done on PHP level are not able to identify/trust the SSL certificate since 30th of Sept (when it expired)

Highly unlikely...
But if you can share the public cert obtained from Positive SSL we may be able to confirm/deny this.
OR maybe better: the entire public chain they provided you with.

1 Like

Few of my websites that were on different servers were able to run just fine before applying the PositiveSSL Certificate with LetsEncrypt (although they were down for a few hours). After applying the PositiveSSL they give 500 the following error
SSL operation failed with code 1. OpenSSL Error messages:\nerror:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version in on line

That is why i switched back to the LetsEncrypt (to make at least few of the websites work) but after switching again to LetsEncrypt they still dont work.

When I open a Let's Encrypt secured website like the Plesk panel of any Plesk installation in my browser and check the certificate chain, i can see that the valid, new root certificate is used for validation.

I think the only issue that could possibly be left is when a server system acts as a "browser", e.g. when a file_get_contents() PHP function tries to open a https:// URL and the server does not have the ISRG Root X1 root certificate installed or has the DST Root CA X3 installed, because in that case CentOS 7.x will for example prefer that over the ISRG Root X1 and fail SSL connections.

1 Like

Have you tried using the alternate trust path chain available on LE certs?
[as the default one does not seem to work well for your use case]

1 Like

not sure how to do that, i use lets encrypt through plesk panel

1 Like

Plesk may not yet support the use of the alternate path from their menu.
[I would expect they are working on an update for that as we speak]
If you have sufficient admin rights on the box, you may be able to locate the cert files used and manually alter them.

1 Like

When i try to do the wget command on the licensing server i get the following:

https:// example2.com/folder/file.jpg
Resolving example2.com (example2.com)... 92.xxx.xx.xxx
Connecting to example2.com (example2.com)|92.xxx.xx.xxx|:443... connected.
OpenSSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
Unable to establish SSL connection.

Yes, I have root access, is there any guide/tutorial to do that?

1 Like

No; Guides are generally made for people who aren't familiar with what they are doing.
Going under the hood and making manual changes isn't for "people who aren't familiar...".

Would you like to "go under the hood and make manual changes"?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.