Closed prg-as closed 2 years ago
Root certificate wouldn't be a bug of the Pterodactyl, and instead the responsibility of the user that's administrating the machine(s). You need to run a certificate check and ensure the whole chain is completed and trusted to be a valid certificate.
Maybe root certificate is not the correct word? I think it was a change in how Lets Encrypt Issued the certificates. Just so I understand, does this check have to be for a domain with a webserver? How would it know there are certificates sending a request to the daemon directly? The result I get from the site is that there are no certificates found for the domain. But there clearly are. We just made a new domain and regenerated new certificates just to check the issue. Any other ideas/info/something else I could be missing? Thanks!
It is possible this a configuration issue on the end of the webserver, sending back the error for only some of the requests? Not sure why it would do that?
After viewing some more logs on the webserver/panel side and seeing an error related to CURL
" cURL error 60: SSL certificate problem: certificate has expired (see https://cu/ rl.haxx.se/libcurl/c/libcurl-errors.html) for https://pr***.com:8080/api/servers "
The appropriate Lets Encrypt Root Certificates were added manually into the certificate store /etc/ssl/certs/
ISRG Root X1 ISRG Root X2
This may be an issue others run into once people start renewing their certificates if their webserver/panel server does not grab the newly added Lets Encrypt Certificates released on Sept 30th 2021
I have found a solution, but due to a CA configuration error in PHP's curl, I downloaded a new CA from this link( https://curl.haxx.se/ca/cacert.pem ), and then fill it in the PHP. ini curl.cainfo = /etc/pki/ca-trust/extracted/openssl/cacert.pem openssl.cafile=/etc/pki/ca-trust/extracted/openssl/cacert.pem 完美的解决了这个问题 ^_^
Is there an existing issue for this?
Current Behavior
There seems to be a new and relatively frequent problem some people are having with certificates and TLS handshakes. A quick search in the discord shows multiple people having similar issues. I see them all the way back to 10/1.
Generally the error is something like this
"masusniper — 10/03/2021 can someone help? http: TLS handshake error from 1.2.3.4:55600: remote error: tls: expired certificate"
This is happening with renewed and recently newly issued certificates
I think it is not yet widespread since we are not all renewing at the same time.
Interestingly, some functions of the panel still work such as starting/stopping a server and sending commands in console however functions such as reinstalling the same server say there is a connection error.
Recently, Lets Encrypt changed their certificate chains using a different root certificate. This happened at the end of September right around when people began having the issue. I personally had the issue right after renewing my certificates with no other problem.
See this article for more info: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/
*Some users are getting a bad mac exception and this may be a concurrent problem of the same origin with that error.
Expected Behavior
All tls requests would be authorized with a non expired certificate
Steps to Reproduce
Spin up a new daemon and issue a new certificate. Renew a certificate on existing daemon Obtain a new certificate with new domain on existing daemon
I personally am using OVH as my provider not sure about the others with the issue
Panel Version
1.6.2
Wings Version
1.5.1
Error Logs