Hi Guys,

I have generated wildcard SSL certificate for my domain by DNS challenge for the following domain:
*.performoo.com.

Now, I have attached this certificate on a load balancer.
There we are getting SSL handshake error.
Below is the error detail:
"{"data":{"errorLog":{"errorDetails":"SSL handshake failed for 203.9.78.19","type":"ssl"},"timestamp":"2022-06-20T11:49:16+00:00"},"source":"my-alb","specversion":"1.0","subject":"","time":"2022-06-20T11:49:16.765Z"}"

I would like to ask how to solve this problem?

Hi @manmohan, and welcome to the LE community forum

Try adding the FQDN "performoo.com" to the wildcard cert.

Hi,

If I want to use subdomain like trac-n0.performoo.com then
will that certificate works for it or not?

Yes, it will work for such subdomains (only).

note:
*** 8.8.8.8 can't find trac-n0.performoo.com: Non-existent domain

Hi
I just re-run the certbot command:

sudo certbot certonly --manual

##################################################################################
sudo certbot certonly --manual
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel): *.performoo.com
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/performoo.com.conf)

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the certificate (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for *.performoo.com
Subscribe to the EFF mailing list (email: infra@techcrumb.com).
Starting new HTTPS connection (1): supporters.eff.org

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/performoo.com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/performoo.com/privkey.pem
  Your certificate will expire on 2022-09-18. To obtain a new or
  tweaked version of this certificate in the future, simply run
  certbot again. To non-interactively renew all of your
  certificates, run "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
  Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation
  ###############################################################################
  Is this correct now?

You don't need to renew a perfectly good cert.
That won't affect the problem you are having.

You asked how to solve the problem...
But you haven't given enough information for anyone to understand, nor troubleshoot, the problem.

Hi,

I apologize for that.
I want to ask I need to regenerate the certificate after deletion, or existing certificate would works.

Because, I am facing SSL handshake error on some devices mentioned in the link below:

I am not facing this issue on every devices.

Also I mistyped the domain.
The correct subdomain is: trac-b0.performoo.com

I don't think your problem is related to the DST Root CA X3 in the chain. Errors with that usually say something about the cert but your error is just the SSL handshake. It might be a problem for certain clients too but you have other issues to resolve first.

Look at your SSL Labs report. You are sending 8 certs in your chain. There are a number of other SSL configuration issues to review.

It looks like you configured your server's SSL yourself. You may want to review Mozilla's SSL Configuration Generator for it's suggestions on good SSL configurations

Once you have your SSL configured properly if you still have problems you think are related to the DST cert please give us an example of a client (browser) that is failing. The operating system, version, and which browser is helpful.

Example:
iPhone 6S OS 9.

I am following below steps to configure SSL on loadbalancer:

The LetsEncrypt process will provide you with four files:

1. $your_domain-chain.pem
2. $your_domain-chain-only.pem
3. $your_domain-crt.pem
4. $your_domain-key.pem

We will use these files in the process below.

1. create a new/emtpy file called lb-crt.pem
2. copy the contents of '$your_domain-chain.pem' in to lb-crt.pem
3. cope the contents of '$your_domain-crt.pem' in to lb-crt.pem but after the last line of step2 - we are appending the crt information to the chain information.
4. save lb-crt.pem
5. copy lb-crt.pem to a new file called lb-ca.pem
6. open the OCI Customer Console to the LoadBalancer
7. click certificates, add certificate
8. in the 'Add Certificate' window
   a) provide certificate name
   b) SSL Certificate - select 'paste SSL certificate'

• copy the contents of lb-crt.pem and paste into this box
  c) Specify CA Certificate - select 'paste ca certificate'
• copy the contents of lb-ca.pem and paste into this box
  d) Specify private key - select 'paste private key'
• copy the contents of '$your_domain-key.pem' and paste into this box

9. click add certificate
10. wait for work request to finish and apply new certificate to listener.

Your LetsEncrypt certification is now successfully applied to your OCI LBaaS listener.

Here, the SSL certificate and CA Certificate both files are same.

Is it correct or need some modification in it.

Step #2 and #3 seem to be out-of-order [I'm not 100% certain on this].
Step #8 part B and C are adding the same information twice.
Part B should likely only contain the cert.pem file.
Part C should likely only contain the chain.pem file.

The certs are only one part of SSL configuration.
I do not know your load balancer so cannot advise on that.
But, you are sending out 8 certs when you should be sending 3 (or even 2).
Please see the problems identified by SSL Labs report

That said, it looks like iOS9 will not work with Let's Encrypt chains. See here

You could switch to using a different Certificate Authority like ZeroSSL if you need to support very old devices. Maybe another volunteer knows how to make Let's Encrypt compatible but I don't

Hi

We have done the changes as suggested.
Now, we are sending 3 certificates:
https://www.ssllabs.com/ssltest/analyze.html?d=trac-b0.performoo.com&hideResults=on

Do you really need RC4?:

image801×83 3.21 KB

I have disabled it, right now.
Please check now

You can check it at SSLLabs

image1437×461 78.1 KB

I am getting this as of now
There are some WEAK warnings as well.
Can you please suggest what Cipher suites do we need to use for TLS 1.2?
Also, Do I need to add support for TLS 1.0 and 1.1 as well on Loadbalancer?

Try: https://ssl-config.mozilla.org/

I wouldn't think so; Those protocols are no longer deemed secure.

Anywho...
Back to your original problem - check to see if that continues.

Hi,

Yes, I am getting same errors but in less amount now, nearly 50 Errors/minute.
Previously, it was >80 Errors/Minute.

Is there any more detail than that? Have you tried asking your ALB vendor? This isn't directly related to Let's Encrypt certs. Your ALB vendor or a forum for that might have more experts to help for this error.

Handshakes can fail if clients (especially bad crawler bots) do poor things. What shows up in your log if you try these curl requests?

curl -I --tls-max 1.2 https://trac-b0.performoo.com
HTTP/1.1 404 Not Found
Date: Mon, 20 Jun 2022 19:06:27 GMT
Content-Length: 0
Connection: keep-alive

curl -I --tls-max 1.1 https://trac-b0.performoo.com
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to trac-b0.performoo.com:443