Peer's Certificate issuer is not recognized

All my certificates are set to expire in a couple weeks. (example https://www.waukon.lib.ia.us/ ) I went to renew today, as I have in the past and not the site I tried to do it on is revoked and I can not see why, what changed or what I should do next.

My domain is: https://c5.anytown.lib.ia.us/

I ran this command: Using a concrete5 product, force renewal

It produced this output:
The web server did not respond correctly at the following URL(s):
http://jerry.anytown.lib.ia.us/.well-known/acme-challenge/testPhysical_37390100s1580502777_1199252925.

Reason: Error in cURL request: Peer’s Certificate issuer is not recognized.

My web server is (include version): Server version: Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version):CentOS7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes, though I’d do it a different way of that works. This is a concrete5 site using an ACME plugin. Worked great till today (or this week? Been using it for about 6 months)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0

1 Like

This sounds a lot to me like concrete5 is doing a kind of “preflight” request, before sending the request to Let’s Encrypt:

  • Let’s Encrypt don’t use curl to check the challenge response URL
  • Let’s Encrypt don’t care about certificate validation errors on challenge response URLs

To resolve this, I think concrete5 should be providing a way to disable the preflight request, since it’s falsely stopping you from acquiring your certificate.

Otherwise, you might investigate adjusting your Apache configuration, so that it doesn’t generate the HTTP-to-HTTPS redirect for the /.well-known/acme-challenge/ path:

$ curl -X GET -IL  http://jerry.anytown.lib.ia.us/.well-known/acme-challenge/testPhysical_37390100s1580502777_1199252925.
HTTP/1.1 302 Found
Date: Fri, 31 Jan 2020 20:47:33 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.24
Location: https://jerry.anytown.lib.ia.us/.well-known/acme-challenge/testPhysical_37390100s1580502777_1199252925.
Content-Length: 287
Content-Type: text/html; charset=iso-8859-1

If you can share the rewrite rules that generate this redirect, I could suggest a way to alter it.

1 Like

Hi @jbalmer

I don’t know if that error message is correct. Checking that url there is a redirect http -> https.

But the certificate is revoked - https://check-your-website.server-daten.de/?q=c5.anytown.lib.ia.us

Perhaps create a self signed certificate or remove the redirect http -> https.

Or if there is a pre-check: Disable that pre-check.

1 Like

I guess that is part of my question… all I did was run the renewal tool and it apparently revoked the certificate without issuing a new one? It was running fine before that… as is the other 30 or so sites on that server. I get that error now when I try to add a new domain to the server, which literally worked yesterday on a different domain… before I tried to renew the one today. But I have ran it on 5 URL’s now (that are not important) and they are all “revoked” now. I am using this tool…

https://www.concrete5.org/marketplace/addons/acme

Is it fair to assume something changed and it’s the tool’s fault? I guess I can try and find a command line way to make/renew the certs. The tool was just so handy before this though. Thought I’d see if anyone had seen that before.

1 Like

The reason it stopped working is probably because you stopped having a valid certificate on the target domain. You probably had a valid certificate upto that point - or at least, no HTTP to HTTPS redirect.

But I believe the underlying cause of the failure is still the same - the tool is unhelpfully trying to validate certificates during its preflight. If it did no preflight at all, you’d have no problem.

Looking at the source code and this screenshot, you should be able to set “Check the configuration when saving” to “No”. This should disable the preflight and fix your problems.

1 Like

You were spot on… that is exactly what I needed. It told me that it was issuing the cert, but obviously it wasn’t. I took out the apache redirects, reran it and them put them back in, works as expected.

Thank you all!

Jerry

1 Like

For anyone interested: here’s the followup of this issue.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.