I ran this command: le64.exe --key private.key --csr temp.csr --csr-key private.key --crt public.key --domains “RSAONLY.wetrag.net” --path “\acme-challenge” --generate-missing --unlink --live --renew 40
It produced this output:
2017/08/06 23:38:07 [ ZeroSSL Crypt::LE client v0.23 started. ]
2017/08/06 23:38:07 Loading an account key from private.key
2017/08/06 23:38:07 Generating a new CSR for domains RSAONLY.wetrag.net
2017/08/06 23:38:07 New CSR will be based on ‘private.key’ key
2017/08/06 23:38:08 Saving a new CSR into temp.csr
2017/08/06 23:38:08 Checking certificate for expiration (local file).
2017/08/06 23:38:08 Expiration threshold set at 40 days, the certificate expires in 33 days - will be renewing.
2017/08/06 23:38:09 Registering the account key
2017/08/06 23:38:09 The key is already registered. ID: 16838976
2017/08/06 23:38:09 Successfully saved a challenge file ‘\acme-challenge/TlwIlOftxXqpuJaH3DjVqYatiQ2Ko43IFhegjcfrfhE’ for domain 'rsaonly.wetrag.net’
2017/08/06 23:38:12 Domain verification results for ‘rsaonly.wetrag.net’: error. Fetching https://rsaonly.wetrag.net/.well-known/acme-challenge/TlwIlOftxXqpuJaH3DjVqYatiQ2Ko43IFhegjcfrfhE: remote error: tls: handshake failure
2017/08/06 23:38:12 Challenge file ‘\acme-challenge/TlwIlOftxXqpuJaH3DjVqYatiQ2Ko43IFhegjcfrfhE’ has been deleted.
2017/08/06 23:38:12 All verifications failed
My web server is (include version): Apache 2.4.23
The operating system my web server runs on is (include version): Windows 2012
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
As seen in SSL Labs, the site supports:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 4096 bits FS 256
…and to add insult to injury, it now returns:
2017/08/07 00:25:36 All domains failed rsaonly.wetrag.net: Error creating new authz :: Too many invalid authorizations recently.
reluctantly I temporarily added ciphers:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH sect571r1 (eq. 15360 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH sect571r1 (eq. 15360 bits RSA) FS 256
and was then able to renew the cert.
I can’t see how ciphers
TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
are supported but not ciphers
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 4096 bits FS 256