Closed prg-as closed 2 years ago
Software-Noob
commented
2 years ago Root certificate wouldn't be a bug of the Pterodactyl, and instead the responsibility of the user that's administrating the machine(s). You need to run a certificate check and ensure the whole chain is completed and trusted to be a valid certificate.
prg-as
commented
2 years ago Maybe root certificate is not the correct word? I think it was a change in how Lets Encrypt Issued the certificates. Just so I understand, does this check have to be for a domain with a webserver? How would it know there are certificates sending a request to the daemon directly? The result I get from the site is that there are no certificates found for the domain. But there clearly are. We just made a new domain and regenerated new certificates just to check the issue. Any other ideas/info/something else I could be missing? Thanks!
prg-as
commented
2 years ago It is possible this a configuration issue on the end of the webserver, sending back the error for only some of the requests? Not sure why it would do that?
prg-as
commented
2 years ago After viewing some more logs on the webserver/panel side and seeing an error related to CURL
" cURL error 60: SSL certificate problem: certificate has expired (see https://cu/ rl.haxx.se/libcurl/c/libcurl-errors.html) for https://pr***.com:8080/api/servers "
The appropriate Lets Encrypt Root Certificates were added manually into the certificate store /etc/ssl/certs/
ISRG Root X1 ISRG Root X2
This may be an issue others run into once people start renewing their certificates if their webserver/panel server does not grab the newly added Lets Encrypt Certificates released on Sept 30th 2021
MCBoos
commented
1 year ago I have found a solution, but due to a CA configuration error in PHP's curl, I downloaded a new CA from this link( https://curl.haxx.se/ca/cacert.pem ), and then fill it in the PHP. ini curl.cainfo = /etc/pki/ca-trust/extracted/openssl/cacert.pem openssl.cafile=/etc/pki/ca-trust/extracted/openssl/cacert.pem 完美的解决了这个问题 ^_^
Is there an existing issue for this?
Current Behavior
There seems to be a new and relatively frequent problem some people are having with certificates and TLS handshakes. A quick search in the discord shows multiple people having similar issues. I see them all the way back to 10/1.
Generally the error is something like this
"masusniper — 10/03/2021 can someone help? http: TLS handshake error from 1.2.3.4:55600: remote error: tls: expired certificate"
This is happening with renewed and recently newly issued certificates
I think it is not yet widespread since we are not all renewing at the same time.
Interestingly, some functions of the panel still work such as starting/stopping a server and sending commands in console however functions such as reinstalling the same server say there is a connection error.
Recently, Lets Encrypt changed their certificate chains using a different root certificate. This happened at the end of September right around when people began having the issue. I personally had the issue right after renewing my certificates with no other problem.
See this article for more info: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/
*Some users are getting a bad mac exception and this may be a concurrent problem of the same origin with that error.
Expected Behavior
All tls requests would be authorized with a non expired certificate
Steps to Reproduce
Spin up a new daemon and issue a new certificate. Renew a certificate on existing daemon Obtain a new certificate with new domain on existing daemon
I personally am using OVH as my provider not sure about the others with the issue
Panel Version
1.6.2
Wings Version
1.5.1
Error Logs