All my certificates are set to expire in a couple weeks. (example https://www.waukon.lib.ia.us/ ) I went to renew today, as I have in the past and not the site I tried to do it on is revoked and I can not see why, what changed or what I should do next.
Reason: Error in cURL request: Peer’s Certificate issuer is not recognized.
My web server is (include version): Server version: Apache/2.4.6 (CentOS)
The operating system my web server runs on is (include version):CentOS7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes, though I’d do it a different way of that works. This is a concrete5 site using an ACME plugin. Worked great till today (or this week? Been using it for about 6 months)
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0
This sounds a lot to me like concrete5 is doing a kind of "preflight" request, before sending the request to Let's Encrypt:
Let's Encrypt don't use curl to check the challenge response URL
Let's Encrypt don't care about certificate validation errors on challenge response URLs
To resolve this, I think concrete5 should be providing a way to disable the preflight request, since it's falsely stopping you from acquiring your certificate.
Otherwise, you might investigate adjusting your Apache configuration, so that it doesn't generate the HTTP-to-HTTPS redirect for the /.well-known/acme-challenge/ path:
$ curl -X GET -IL http://jerry.anytown.lib.ia.us/.well-known/acme-challenge/testPhysical_37390100s1580502777_1199252925.
HTTP/1.1 302 Found
Date: Fri, 31 Jan 2020 20:47:33 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.24
Location: https://jerry.anytown.lib.ia.us/.well-known/acme-challenge/testPhysical_37390100s1580502777_1199252925.
Content-Length: 287
Content-Type: text/html; charset=iso-8859-1
If you can share the rewrite rules that generate this redirect, I could suggest a way to alter it.
I guess that is part of my question… all I did was run the renewal tool and it apparently revoked the certificate without issuing a new one? It was running fine before that… as is the other 30 or so sites on that server. I get that error now when I try to add a new domain to the server, which literally worked yesterday on a different domain… before I tried to renew the one today. But I have ran it on 5 URL’s now (that are not important) and they are all “revoked” now. I am using this tool…
Is it fair to assume something changed and it’s the tool’s fault? I guess I can try and find a command line way to make/renew the certs. The tool was just so handy before this though. Thought I’d see if anyone had seen that before.
The reason it stopped working is probably because you stopped having a valid certificate on the target domain. You probably had a valid certificate upto that point - or at least, no HTTP to HTTPS redirect.
But I believe the underlying cause of the failure is still the same - the tool is unhelpfully trying to validate certificates during its preflight. If it did no preflight at all, you’d have no problem.
Looking at the source code and this screenshot, you should be able to set “Check the configuration when saving” to “No”. This should disable the preflight and fix your problems.
You were spot on… that is exactly what I needed. It told me that it was issuing the cert, but obviously it wasn’t. I took out the apache redirects, reran it and them put them back in, works as expected.
