Unable to renew cert - remote error: tls: handshake failure

Please fill out the fields below so we can help you better.

My domain is: RSAONLY.wetrag.net

I ran this command: le64.exe --key private.key --csr temp.csr --csr-key private.key --crt public.key --domains “RSAONLY.wetrag.net” --path “\acme-challenge” --generate-missing --unlink --live --renew 40

It produced this output:
2017/08/06 23:38:07 [ ZeroSSL Crypt::LE client v0.23 started. ]
2017/08/06 23:38:07 Loading an account key from private.key
2017/08/06 23:38:07 Generating a new CSR for domains RSAONLY.wetrag.net
2017/08/06 23:38:07 New CSR will be based on ‘private.key’ key
2017/08/06 23:38:08 Saving a new CSR into temp.csr
2017/08/06 23:38:08 Checking certificate for expiration (local file).
2017/08/06 23:38:08 Expiration threshold set at 40 days, the certificate expires in 33 days - will be renewing.
2017/08/06 23:38:09 Registering the account key
2017/08/06 23:38:09 The key is already registered. ID: 16838976
2017/08/06 23:38:09 Successfully saved a challenge file ‘\acme-challenge/TlwIlOftxXqpuJaH3DjVqYatiQ2Ko43IFhegjcfrfhE’ for domain 'rsaonly.wetrag.net’
2017/08/06 23:38:12 Domain verification results for ‘rsaonly.wetrag.net’: error. Fetching https://rsaonly.wetrag.net/.well-known/acme-challenge/TlwIlOftxXqpuJaH3DjVqYatiQ2Ko43IFhegjcfrfhE: remote error: tls: handshake failure
2017/08/06 23:38:12 Challenge file ‘\acme-challenge/TlwIlOftxXqpuJaH3DjVqYatiQ2Ko43IFhegjcfrfhE’ has been deleted.
2017/08/06 23:38:12 All verifications failed

My web server is (include version): Apache 2.4.23
The operating system my web server runs on is (include version): Windows 2012
I can login to a root shell on my machine (yes or no, or I don’t know): Yes

As seen in SSL Labs, the site supports:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 4096 bits FS 256

…and to add insult to injury, it now returns:
2017/08/07 00:25:36 All domains failed
rsaonly.wetrag.net: Error creating new authz :: Too many invalid authorizations recently.

I’m not in front of a computer, but two ideas:

• test against staging for a higher rate limit
• check the golang tls library cipher suites for overlap with your narrow cipher list

It would appear that ciphers 0x006b and 0x009f are not supported:
369 TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
370 TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
371 TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f
372 TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035
373 TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c
374 TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c
375 TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d
376 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007
377 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009
378 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a
379 TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011
380 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012
381 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013
382 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014
383 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023
384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027
385 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f
386 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b
387 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030
388 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c
389 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 uint16 = 0xcca8
390 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 uint16 = 0xcca9

reluctantly I temporarily added ciphers:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH sect571r1 (eq. 15360 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH sect571r1 (eq. 15360 bits RSA) FS 256
and was then able to renew the cert.

I can’t see how ciphers
TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005
TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a
are supported but not ciphers
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits FS 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 4096 bits FS 256

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.