Problem to https:// in SSL Let's Encrypt


#1

Hello world, I use Shared hosting from megahost.kz 4 of the 1st domain without https 2d with https from komodo 3rd spunel Inc. (comodo) 4th from Let’s Enkript 1,2,3 work quickly and perfectly but 4th that time it turned out that the low open
PS forgive in Russian in translit


#2

Hi @ivgenij,

Did you use some kind of software application to obtain the certificates yourself? Or did the hosting provider obtain them for you using its own Let’s Encrypt tool, for example inside a control panel?

If you obtained the certificates yourself, we may be able to help you if you can tell us what software you used, how you used it, and what kind of error messages you received.

If the hosting company obtained the certificates, you’ll probably need to ask them for assistance.


#3

I used to get SSL zerossl.com


#4

Hi,

Unfortunately, I didn’t understand the translation of the part of your message where you described what went wrong with the fourth attempt.

Could you try to describe it differently, or maybe try using a different machine translation program? Google Translate has gotten very good for many pairs of languages.

Do you have any error messages that you saw as a result of what you were trying to do?


#5

@ivgenij, try ZeroSSL contact form - it might be easier to decipher your message then :slight_smile:

I would imagine that it is either server misconfiguration (for example trying to use account key as a domain key) or mixed content on the site. Please note that ZeroSSL Certificate Wizard is available in Russian (in addition to English, German, French, Spanish and Italian) - switching to it might make the process easier for you if you are having troubles getting the certificate.


#6

What is the name of your site?


#7

Https://cplaza.kz/ on this domain is SSL Let’s Encrypt sendered online at zerossl.com.
When you try to open https://cplaza.kz/ it opens slowly Load ~ 20.90 s
When I try to open http://cplaza.kz/ it opens quickly Load ~ 803 ms
Also sometimes when you try to open https://cplaza.kz/ the browser does not open Time out at all
Https://pultmarket.kz/ on this domain is SSL cPanel inc (comodo)
When you try to open http://pultmarket.kz/ it opens quickly Load ~ 1.15 s

Both sites on the same hosting and ip

Was used Chrome Version 56.0.2924.87 (64-bit), Firefox 52.0 (32-bit)


#8

Thanks for the extra info. This is a very interesting problem. I see the same result: The HTTPS version of your site loads very slowly for me with Chrome, Firefox, and curl. However, connecting directly with OpenSSL, and even requesting a page, is very fast:

echo -e "GET / HTTP/1.1\nHost:cplaza.kz\n\n" | openssl s_client -connect cplaza.kz:443 -showcerts -servername cplaza.kz

Does anyone else have any ideas what could cause this behavior? I tried curl --no-alpn, which is also very slow.


#9

Whatever it is, it appears to add exactly 20 seconds to the SSL handshake. This does sound like some kind of timeout apache is running into internally. There’s a good chance that whatever it is, there’s a message about it in your apache error. If there isn’t, setting LogLevel debug might yield more results.

(Side-note: I noticed your ISP is “JSC KazTransCom”. They were in the news about a year ago because of plans to man-in-the-middle all connections using a root certificate that they wanted all users to install manually. I thought this might be related to whatever they’re using to intercept TLS connections, but a quick search on censys for others on that network using Let’s Encrypt shows that they don’t seem to suffer from this problem, so it’s probably not related, unless it’s something specific about your site or certificate that’s causing it.)


#10

This is indeed interesting. For example, Qualys test indicates a lot of “Protocol or cipher suite mismatch” issues, while Comodo test receives certificate for email.almadata.kz instead it seems. Additionally FireFox fails with SEC_ERROR_OCSP_TRY_SERVER_LATER as well as openssl s_client when used with -status, so you might try this, with some more details here). It does look like a misconfiguration so far.

There’s one more theory about slow handshakes too though - as far as I remember, Kazakhstan was planning to introduce HTTPS traffic interception - I wonder if that might explain slow handshakes. P.S. Apparently while I was writing this @pfg already checked censys, so might not be the case here, though still something to keep in mind I guess :slight_smile:


#11

hi @ivgenij

i can see you are using apache

have a look at this article for apache

can you paste your apached configs here?

I would also try a certificate from another provider (free) and see if you are getting the same issue

If you are getting the same issue then you can definitely narrow it down to a web server config

Andrei


#12

https://pultmarket.kz vs https://cplaza.kz one cms, one virtual host, one IP. Tomorrow, if the host will provide such information.


#13

hi @ivgenij

check your apache host configurations

i can see you are hosting both services on the same IP so the logical conclusion is that the difference is in the host configurations

the certificate seems to be valid however your OCSP configuration seems to be of

https://wiki.apache.org/httpd/OCSPStapling

https://loopbyte.com/blog/post/how-to-resolve-apache-ssl-website-error-secerrorocsptryserverlater

if you compare your two sites with sslalbs

https://www.ssllabs.com/ssltest/analyze.html?d=pultmarket.kz&hideResults=on
https://www.ssllabs.com/ssltest/analyze.html?d=cplaza.kz&hideResults=on

the other thing that you may want to look at is that you are sending a certificate for non SNI queries which doesn’t match

it may be a good idea to fix it as other have had trouble with google treating that behavior as a self signed certificate


#14

The hosting provider says that the apache is configured for defaults and there will not be any changes in it.
Installed a trial from SSL the Comodo cplaza.kz load ~2 s


#15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.