@Phil first, thanks for confirming this was unintended, and getting back to me! Unfortunately, it does not work:
_acme@fish:/home/acme $ curl https://acme-v02.api.letsencrypt.org/directory
curl: (35) error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
35|_acme@fish:/home/acme $ curl https://acme-staging-v02.api.letsencrypt.org/directory
curl: (35) error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
(First one is to still check the other one.)
Maybe you can make something out of this:
$ openssl s_client -CApath /etc/ssl/certs -connect acme-staging-v02.api.letsencrypt.org:443 -debug
CONNECTED(00000004)
write to A1129EC0 [AA4CE000] (70 bytes => 70 (0x46))
0000 - 16 03 01 00 41 01 00 00-3d 03 01 61 24 1a b6 a7 ....A...=..a$...
0010 - 76 0f 92 8b 53 8c b4 cb-2d c1 bb 47 d2 eb 57 02 v...S...-..G..W.
0020 - b7 0d 30 42 58 0b e0 27-32 d7 bc 00 00 16 00 39 ..0BX..'2......9
0030 - 00 38 00 33 00 32 00 16-00 13 00 35 00 2f 00 0a .8.3.2.....5./..
0040 - 00 05 00 04 01 .....
0046 - <SPACES/NULS>
read from A1129EC0 [AA4D3000] (5 bytes => 5 (0x5))
0000 - 15 03 01 00 02 .....
read from A1129EC0 [AA4D3005] (2 bytes => 2 (0x2))
0000 - 02 46 .F
29476:error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version:/usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1027:SSL alert number 70
29476:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:490:
If it’s Debian, I have this…
tg@caas:~ $ tail -3 /etc/ssl/openssl.cnf
[system_default_sect]
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=1
… but as far as I remember, this would also work with the default seclevel of 2 (since I have longer DH parameters and/or this affects only the other side of the traffic), as long as the MinProtocol
is lowered from TLSv1.2
to TLSv1.0
.
@ski192man as far as I understand, LE requests are additionally signed/encrypted using per-user keys, so there should really be no concerns for traffic to the CA itself.
I’ve considered the proxy setup, and it indeed does seem to be the easiest one, but I had hoped to be able to avoid this until I can get another SSL library ported and working well and fitting the quality standards.
@petercooperjr I have a certificate with…
Not Before: Aug 15 07:15:58 2021 GMT
… so at least then. My cronjob is weekly and only alerted me the night I wrote this request.