Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
I ran this command:
openssl s_client -connect us-east-va.sip.flowroute.com:443
It produced this output:
3070160912:error:0200206E:system library:connect:Connection timed out:../crypto/bio/b_sock2.c:110:
3070160912:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=110
My web server is (include version):
None
The operating system my web server runs on is (include version):
Debian 10.12
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
snap -- V1.3?
tryiing to use tls and keep getting "certificate expired". Works fine with Telnyx but tls fails with us-east-va.sip.flowroute.com.
I read something about LetsEncrypt making some big changes late last year. Keep getting references to a missing or incorrect root certificate??
I'm seeing two hostnames: which one is the one you want fixed? Because currently both don't work. Your twilight URI doesn't have anything running on port 80 or 443 and your flowroute URI is timing out for me (and for you too it seems..)
Also, both hostnames have valid certificates issued (very) recently.
So I'm not sure how to proceed: both hostnames are unavailable to check and your post doesn't make it very clear what the actual issue is you're having, at least not to me.
I will try to answer your questions intelligently. twilight is correct and there should not be anything running on 80. I tried the openssl command because a google search said it could be used to check for correct tls operation (?) The server that I am told I should be connecting to is us-east-va.sip.flowroute.com. I get tls correctly on sip.telnyx.com but it dies on us-east-va.sip.flowroute.com. I hope that helps.
I'm not sure what you mean. I think certbot is working. It's only used in short bursts when Certbot runs, correct? As I said, I thought the openssl command would verify if their domain was running (tls) correctly.
Let me start over. I'm trying to establish a tls connection to us-east-va.sip.flowroute.com and get the error "certificate expired" and the connection fails. I get a tls connection to the telnyx server just fine. I keep getting snippets about the change(s) made by LetsEncrypt last year that could be causing the "Expired certificate" error and a representative from Flowroute suggested the same.
But your first post shows an "Connection timed out" error? Also, I can't connect to it either, the host seems to be down. That makes debugging this very difficult if not impossible.
For incompatible devices, there is often a way that the device owner can manually upgrade an individual device to restore compatibility (e.g. by manually adding the ISRG Root X1 certificate to the local trusted certificates list (trust store)
Flowroute states everything is hunky dory but I think there is an interworking error between OpenSSL 1.1.1n (which I have) and them. I sent a pcap and am waiting for a response. tls is one of the reasons I wanted to use Flowroute.