Sectigo SSL cert not installing

Discussion in 'Installation/Configuration' started by Devin McManus, Nov 16, 2021.

  1. Devin McManus

    Devin McManus New Member

    Code:
    lsb_release -a
    No LSB modules are available.
    Distributor ID: Debian
    Description:    Debian GNU/Linux 9.13 (stretch)
    Release:        9.13
    Codename:       stretch
    
    Code:
    php -v
    PHP 7.0.33-0+deb9u10 (cli) (built: Oct  6 2020 17:08:28) ( NTS )
    Copyright (c) 1997-2017 The PHP Group
    Zend Engine v3.0.0, Copyright (c) 1998-2017 Zend Technologies
        with Zend OPcache v7.0.33-0+deb9u10, Copyright (c) 1999-2017, by Zend Technologies
    
    Hi there,
    I have a site with a Sectigo SSL cert that's due to expire in about a week. A new replacement cert has been purchased and I've copied/pasted the certificate and bundle into the SSL tab of the website. The job queue seems to be finishing but when I check the site it redirects to HTTP and says the site isn't secure. Can you please help?

    Regards,
    Devin
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please go to the SSL tab of that site, select 'save certificate' in the action field, then press save again. and check that the 'SSL' checkbox on the first tab is active.
     
  3. Devin McManus

    Devin McManus New Member

    Hi Till,
    I've done that but it's still not working. Can you please advise?

    Regards,
    Devin
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Is the SSL checkbox for the site checked? Try unchecking it, save, then check again and save. The behavior you describe is strange though, a site with a broken ssl certificate either loads the wrong site or the correct site with errors, it should not redirect from broken https to http, so you may have something else going on. If this is an apache server, whate does apachectl -S output, and what is the site in question?
     
    Last edited: Nov 16, 2021
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Does this site run a cms, e.g. WordPress or similar? If yes, are all URL's in the CMS are set to https:// ? If you use Wordpress and it contains http:// URLs in its config, then the cms will redirect from https to http on its own.
     
  7. Devin McManus

    Devin McManus New Member

    Hi there,
    I thought I posted this earlier, but I guess not. It turns out that the private key and cert didn't match. I had the CA reissue, and Till's initial instructions did the trick. That said, I'm trying to install a Let's Encrypt cert on the same server, but a different domain and it just keeps hanging. Any idea what's up with that?

    Regards,
    Devin
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  9. Devin McManus

    Devin McManus New Member

    Thanks Taleman. I went through the steps and verified everything. It still isn't working so I enabled Let's Encrypt for the web and run the server.sh script manually. Here's the output...

    Code:
    [email protected]:~# /usr/local/ispconfig/server/server.sh
    23.11.2021-18:41 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    23.11.2021-18:41 - DEBUG - Found 1 changes, starting update process.
    23.11.2021-18:41 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    23.11.2021-18:41 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    23.11.2021-18:41 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web14' - return code: 0
    23.11.2021-18:41 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web14' - return code: 0
    23.11.2021-18:41 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client1/web14'|awk 'END{print $2,$NF}' - return code: 0
    23.11.2021-18:41 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    23.11.2021-18:41 - DEBUG - safe_exec cmd: setquota -u 'web14' '0' '0' 0 0 -a &> /dev/null - return code: 0
    23.11.2021-18:41 - DEBUG - safe_exec cmd: setquota -T -u 'web14' 604800 604800 -a &> /dev/null - return code: 0
    23.11.2021-18:41 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web14' - return code: 0
    23.11.2021-18:41 - DEBUG - Create Let's Encrypt SSL Cert for: xxxx.com
    23.11.2021-18:41 - DEBUG - Let's Encrypt SSL Cert domains:
    23.11.2021-18:41 - DEBUG - exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]  --domains xxxx.com --domains www.xxxx.com --webroot-path /usr/local/ispconfig/interface/acme
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    An unexpected error occurred:
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
        cnx.do_handshake()
      File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake
        self._raise_ssl_error(self._ssl, result)
      File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1174, in _raise_ssl_error
        _raise_current_error()
      File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
        raise exception_type(errors)
    OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
        chunked=chunked)
      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
        self._validate_conn(conn)
      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in _validate_conn
        conn.connect()
      File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 323, in connect
        ssl_context=context)
      File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 324, in ssl_wrap_socket
        return context.wrap_socket(sock, server_hostname=server_hostname)
      File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
        raise ssl.SSLError('bad handshake: %r' % e)
    ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
        timeout=timeout
      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 624, in urlopen
        raise SSLError(e)
    requests.packages.urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
    
    During handling of the above exception, another exception occurred:
    
    requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
    Please see the logfiles in /var/log/letsencrypt for more details.
    23.11.2021-18:41 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    23.11.2021-18:41 - WARNING - Let's Encrypt SSL Cert for: xxxx.com could not be issued.
    23.11.2021-18:41 - WARNING - /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]  --domains xxxx.com --domains www.xxxx.com --webroot-path /usr/local/ispconfig/interface/acme
    23.11.2021-18:41 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    23.11.2021-18:41 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/xxxx.com.vhost
    23.11.2021-18:41 - DEBUG - Apache status is: running
    23.11.2021-18:41 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    23.11.2021-18:41 - DEBUG - Restarting httpd: systemctl restart apache2.service
    23.11.2021-18:41 - DEBUG - Apache restart return value is: 0
    23.11.2021-18:41 - DEBUG - Apache online status after restart is: running
    23.11.2021-18:41 - DEBUG - Processed datalog_id 205
    23.11.2021-18:41 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
    
    Does anything look out of sorts here?
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Did you do this:
    Doubly check the xxxx.com domain shown in the log messages.
     
  11. Devin McManus

    Devin McManus New Member

    Hi Taleman,
    I double-checked and the domain seems to be working with all subdomains.

    Regards,
    Devin
     
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

     
  13. Devin McManus

    Devin McManus New Member

    Could this have something to do with the fact that I have a Sectigo SSL cert installed on the same IP address that I'm trying to install a Let's Encrypt cert?
     

Share This Page