I have generated wildcard SSL certificate for my domain by DNS challenge for the following domain:
*.performoo.com.
Now, I have attached this certificate on a load balancer.
There we are getting SSL handshake error.
Below is the error detail:
"{"data":{"errorLog":{"errorDetails":"SSL handshake failed for 203.9.78.19","type":"ssl"},"timestamp":"2022-06-20T11:49:16+00:00"},"source":"my-alb","specversion":"1.0","subject":"","time":"2022-06-20T11:49:16.765Z"}"
##################################################################################
sudo certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.performoo.com
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/performoo.com.conf)
What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for *.performoo.com
Subscribe to the EFF mailing list (email: infra@techcrumb.com).
Starting new HTTPS connection (1): supporters.eff.org
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/performoo.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/performoo.com/privkey.pem
Your certificate will expire on 2022-09-18. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew all of your
certificates, run "certbot renew"
If you like Certbot, please consider supporting our work by:
I don't think your problem is related to the DST Root CA X3 in the chain. Errors with that usually say something about the cert but your error is just the SSL handshake. It might be a problem for certain clients too but you have other issues to resolve first.
Look at your SSL Labs report. You are sending 8 certs in your chain. There are a number of other SSL configuration issues to review.
Once you have your SSL configured properly if you still have problems you think are related to the DST cert please give us an example of a client (browser) that is failing. The operating system, version, and which browser is helpful.
I am following below steps to configure SSL on loadbalancer:
The LetsEncrypt process will provide you with four files:
$your_domain-chain.pem
$your_domain-chain-only.pem
$your_domain-crt.pem
$your_domain-key.pem
We will use these files in the process below.
create a new/emtpy file called lb-crt.pem
copy the contents of '$your_domain-chain.pem' in to lb-crt.pem
cope the contents of '$your_domain-crt.pem' in to lb-crt.pem but after the last line of step2 - we are appending the crt information to the chain information.
save lb-crt.pem
copy lb-crt.pem to a new file called lb-ca.pem
open the OCI Customer Console to the LoadBalancer
click certificates, add certificate
in the 'Add Certificate' window
a) provide certificate name
b) SSL Certificate - select 'paste SSL certificate'
copy the contents of lb-crt.pem and paste into this box
c) Specify CA Certificate - select 'paste ca certificate'
copy the contents of lb-ca.pem and paste into this box
d) Specify private key - select 'paste private key'
copy the contents of '$your_domain-key.pem' and paste into this box
click add certificate
wait for work request to finish and apply new certificate to listener.
Your LetsEncrypt certification is now successfully applied to your OCI LBaaS listener.
Here, the SSL certificate and CA Certificate both files are same.
Step #2 and #3 seem to be out-of-order [I'm not 100% certain on this].
Step #8 part B and C are adding the same information twice.
Part B should likely only contain the cert.pem file.
Part C should likely only contain the chain.pem file.
The certs are only one part of SSL configuration.
I do not know your load balancer so cannot advise on that.
But, you are sending out 8 certs when you should be sending 3 (or even 2).
Please see the problems identified by SSL Labs report
That said, it looks like iOS9 will not work with Let's Encrypt chains. See here
You could switch to using a different Certificate Authority like ZeroSSL if you need to support very old devices. Maybe another volunteer knows how to make Let's Encrypt compatible but I don't
I am getting this as of now
There are some WEAK warnings as well.
Can you please suggest what Cipher suites do we need to use for TLS 1.2?
Also, Do I need to add support for TLS 1.0 and 1.1 as well on Loadbalancer?
Is there any more detail than that? Have you tried asking your ALB vendor? This isn't directly related to Let's Encrypt certs. Your ALB vendor or a forum for that might have more experts to help for this error.
Handshakes can fail if clients (especially bad crawler bots) do poor things. What shows up in your log if you try these curl requests?
curl -I --tls-max 1.2 https://trac-b0.performoo.com
HTTP/1.1 404 Not Found
Date: Mon, 20 Jun 2022 19:06:27 GMT
Content-Length: 0
Connection: keep-alive
curl -I --tls-max 1.1 https://trac-b0.performoo.com
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to trac-b0.performoo.com:443