[BlueOnyx:23702] Re: certificate issues 5209R letsencrypt

Larry Smith lesmith at ecsis.net
Mon Mar 2 12:09:29 -05 2020 

On Mon March 2 2020 10:58, Michael Stauber wrote:
> Hi Larry,
>
> > Have a 5209R running letsencrypt and started
> > getting calls that certificate is failing.  Checked
> > and cert was just renewed (28 Feb 2020) but
> > when I go to ssllabs and digicert both fail the
> > certificate for incomplete certificate chain.
> >
> > Any ideas ? This is the certificate for the box itself.
> > Certificates for sites on the box (also letsencrypt)
> > are passing fine.
>
> I had something similar recently: The last email from the cronjob said
> that the certificate had been renewed successfully, GUI said the cert
> was valid for plenty of time, but the browser complained that the cert
> was expired.
>
> I restarted AdmServ and the problem went away. So I presume the last
> renewal didn't restart AdmServ automatically and it was still running
> with the previous certificate that since long had been successfully
> renewed.
>
> Try to restart AdmServ and see if that fixes it for you. If not: Request
> a new LE cert via the GUI.

Michael,

  Thanks, have restarted admserv multiple times but did so again (same issue).
Just now went to GUI and had letsencrypt do a new cert (new date May 31, 2020)
and noticed this in the adm_error log:

<quote>
[Mon Mar 02 11:00:52.647751 2020] [mpm_prefork:notice] [pid 9103] AH00171: 
Graceful restart requested, doing restart
[Mon Mar 02 11:00:52.701666 2020] [ssl:error] [pid 9103] AH02217: 
ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: 
CN=server.name.tld / issuer: CN=Let's Encrypt Authority X3,O=Let's 
Encrypt,C=US / serial: 0366429D750203BF003271A38409CF74187F / notbefore: Mar  
2 16:05:17 2020 GMT / notafter: May 31 16:05:17 2020 GMT]
[Mon Mar 02 11:00:52.701681 2020] [ssl:error] [pid 9103] AH02235: Unable to 
configure server certificate for stapling
[Mon Mar 02 11:00:52.701862 2020] [mpm_prefork:notice] [pid 9103] AH00163: 
Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_perl/2.0.9-dev Perl/v5.16.3 
configured -- resuming normal operations
</quote>
(changed server name above)

and still get same fail from ssllabs (did not recheck digicert).

-- 
Larry Smith
lesmith at ecsis.net

More information about the Blueonyx mailing list