search

do-know / Crypt-LE

Crypt::LE - Let's Encrypt / Buypass / ZeroSSL and other ACME-servers client and library in Perl for obtaining free SSL certificates (inc. generating RSA/ECC keys and CSRs). HTTP/DNS verification is supported out of the box, EAB (External Account Binding) supported, easily extended with plugins, easily dockerized.
https://Do-Know.com
Artistic License 2.0
353 stars 60 forks source link

Failed to renew certificate #80

Closed TaintedDemonWolf closed 1 year ago

TaintedDemonWolf commented 1 year ago

Hi

I'm having a problem with renewing a certificate. When I run the script, I do not see the http check file come up in the IIS folder and the error I get is as follows:

le64.exe -generate-missing -key account.key -csr domain.csr -csr-key domain.key -crt domain.crt -domains "\<public domain>" -path "C:\inetpub\wwwroot\.well-known\acme-challenge" -unlink -renew 60 -live -handle-as http

2023/01/09 15:49:21 [ Crypt::LE client v0.38 started. ] 2023/01/09 15:49:21 Loading an account key from account.key 2023/01/09 15:49:21 Loading a CSR from domain.csr 2023/01/09 15:49:21 Checking certificate for expiration (local file). 2023/01/09 15:49:21 Expiration threshold set at 60 days, the certificate expires in 5 days - will be renewing. 2023/01/09 15:49:24 Could not load the resource directory: SSL connection failed for acme-v02.api.letsencrypt.org: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

I thought it was a securities issue on the local server but I haven't found an issue with the folder and can create files as normal in the lcoation. This used to work and now doesn't. Any ideas?

do-know commented 1 year ago

Thanks for the report. I'll check it shortly and if new version needs to be built, I'll have that created. Thanks.

do-know commented 1 year ago

OK, interestingly I cannot reproduce this - using v0.38 of le64 (or the le.pl), it works fine and does not trigger any connection errors. The error shown in your case would be expected if the certificates used by the client are out of date, but in case of le64 those are packaged in and should be still fine (otherwise it would be failing for me too), or if there is some "man-in-the-middle" attempt to connect to some rogue server. Is this consistently reproducible? Are you getting the same error if you run it against the test server (without -live option)? Additionally, could you run nslookup acme-v02.api.letsencrypt.org from the command line and see what comes up?

TaintedDemonWolf commented 1 year ago

Thanks for the feedback. I found out that the issue was the ISP was having some routing issues. The nslookup was right and changing the -live option still had the same issue. After switching to the failover connection, it worked perfectly.

do-know commented 1 year ago

Closing as resolved.