Problem with certificate

porrier · August 22, 2020, 8:16pm

Hello!
On a testserver with domain dualbit.de I requested a new cert and made it available with apache server.
Now I have the problem that Firefox says it is not entierly trusted and the connection is not trusted.
Validated from: unknown

Cron executes 0 */2 * * * /usr/bin/certbot renew > /dev/null 2>&1

2020-08-22 22:00:04,485:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-08-22 22:00:04,536:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7
fdc4e8e0320> and installer <certbot._internal.cli.cli_utils._Default object at 0x7fdc4e8e0320>
2020-08-22 22:00:04,689:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/archive/smtp.dualbit.de/cert1.pem
2020-08-22 22:00:04,689:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/smtp.dualbit.de/chain1.pem -cert /etc/letsencr
ypt/archive/smtp.dualbit.de/cert1.pem -CAfile /etc/letsencrypt/archive/smtp.dualbit.de/chain1.pem -verify_other /etc/letsencrypt/archive/smtp.dua
lbit.de/chain1.pem -trust_other -timeout 10 -header Host=ocsp.int-x3.letsencrypt.org -url http://ocsp.int-x3.letsencrypt.org
2020-08-22 22:00:14,709:DEBUG:certbot.ocsp:Error while running openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/smtp.dualbit.de/chain1.pem
-cert /etc/letsencrypt/archive/smtp.dualbit.de/cert1.pem -CAfile /etc/letsencrypt/archive/smtp.dualbit.de/chain1.pem -verify_other /etc/letsencr
ypt/archive/smtp.dualbit.de/chain1.pem -trust_other -timeout 10 -header Host=ocsp.int-x3.letsencrypt.org -url http://ocsp.int-x3.letsencrypt.org.

Timeout on connect
Error querying OCSP responder

2020-08-22 22:00:14,710:INFO:certbot.ocsp:OCSP check failed for /etc/letsencrypt/archive/smtp.dualbit.de/cert1.pem (are we offline?)
2020-08-22 22:00:14,744:INFO:certbot._internal.renewal:Cert not yet due for renewal
2020-08-22 22:00:14,746:DEBUG:certbot._internal.plugins.selection:Requested authenticator standalone and installer None
2020-08-22 22:00:14,746:DEBUG:certbot._internal.renewal:no renewal failures

I don’t know what’s wrong.

Andreas

JuergenAuer · August 22, 2020, 8:25pm

Hi @porrier

that's only mixed content, see https://check-your-website.server-daten.de/?q=dualbit.de

Your certificate

CN=smtp.dualbit.de
	15.07.2020
	13.10.2020
expires in 52 days	dualbit.de, smtp.dualbit.de, www.dualbit.de - 3 entries

is valid, but

your ipv6 doesn't work, there is a timeout
and you have mixed content:

http://www.centos.org/favicon.ico

The link shortcut icon has a http link, change that to https.

rg305 · August 22, 2020, 8:27pm

I agree there is a problem with your IPv6 address:
https://www.ssllabs.com/ssltest/analyze.html?d=dualbit.de&s=2a02%3A248%3A2%3A40be%3A5054%3Aff%3Afe81%3A379

curl -6Iki [2a02:248:2:40be:5054:ff:fe81:379]:443
curl: (7) Failed to connect to 2a02:248:2:40be:5054:ff:fe81:379 port 443: No route to host

porrier · August 22, 2020, 8:34pm

Thank you! Now I know how to go on.

porrier · August 22, 2020, 8:34pm

OK, I’ll check this with the hoster.

system · September 21, 2020, 8:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Web browsers dont accept ca Server	5	3348	October 22, 2015
Cert not work in firefox Server	13	37392	April 13, 2016
Certificate is not trusted Help	4	497	November 19, 2020
Certificate not trusted in browser Help	2	532	November 24, 2021
Still seeing intermittent OCSP errors Help	7	2259	September 23, 2018

Problem with certificate

Related topics