Jump to content

[Solved] Could not issue an SSL/TLS certificate

kkaviani

By kkaviani
in Escalated Requests

 Share

Recommended Posts

kkaviani Rookie

kkaviani

Posted
Posted

Hi,

I have two apps under my account kkaviani in Tommy. I recently got several emails from Heliohost saying that the TLS certificates could not be renewed. So as of today, the certificates have all expired. When I go to renew them by clicking Reissue Certificate, I get this error: 

Could not issue an SSL/TLS certificate for qasemghazanfar.com
Details

Could not issue a Let's Encrypt SSL/TLS certificate for qasemghazanfar.com. Authorization for the domain failed.

Details
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz/xxxxx/xxxxx.

Details:

Type: urn:ietf:params:acme:error:connection

Status: 400

Detail: xx.xx.xxx.xx: Fetching https://qasemghazanfar.com/.well-known/acme-challenge/xxxxx: Timeout during connect (likely firewall problem)
 

Is the Tommy server having firewall problems when obtaining new TLS certificates from this ACME API?

Thanks for your help.

 
wolstech Grand Master

wolstech

Posted
Posted

Could be. I just tried and got the same timeout error even though your site otherwise works fine (ignoring the security warnings). The problem with it being a firewall issue is that LE refuses to publish what IPs their verifications come from. Krydos may have a better idea how to troubleshoot this.

I tried unblocking the IPs that were recently blocked on Tommy in the past 3 days but that didn't help, and I don't know where the firewall logs are...

Krydos Grand Master

Krydos

Posted
Posted

It has nothing to do with firewalls. Every time someone reports that installing SSL doesn't work, the first thing to check is if it is redirecting http to https. In order to install SSL your .well-known directory has to be served over http 

root@control [~]# curl -v http://qasemghazanfar.com/.well-known/acme-challenge/-eAJl4mmY19WxjELqbxnwWHKgYZHHfnygh96F-qfErQ
*   Trying 2001:470:1:1ee::2002:80...
*   Trying 65.19.154.90:80...
* Connected to qasemghazanfar.com (65.19.154.90) port 80 (#0)
> GET /.well-known/acme-challenge/-eAJl4mmY19WxjELqbxnwWHKgYZHHfnygh96F-qfErQ HTTP/1.1
> Host: qasemghazanfar.com
> User-Agent: curl/7.76.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Server: nginx
< Date: Sun, 29 Dec 2024 07:04:23 GMT
< Content-Type: text/html
< Content-Length: 162
< Connection: keep-alive
< Location: https://qasemghazanfar.com/.well-known/acme-challenge/-eAJl4mmY19WxjELqbxnwWHKgYZHHfnygh96F-qfErQ

Since this domain is redirecting to https you can't install SSL. Once the .well-known directory is accessible over http it will work.

wolstech Grand Master

wolstech

Posted
Posted

This should be fixed now. The redirect Krydos describes above was actually enabled in Plesk under the hosting settings, not in your site code. I turned that off for you and it issued a cert for the domain.

You DNS entries for www and webmail are missing on Cloudflare, so the certs didn't issue for that, but the domain itself should be secured now. If you create the missing records, you can just reissue it to cover the other subdomains.

  • wolstech changed the title to [Solved] Could not issue an SSL/TLS certificate

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...