Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! after migrating to 2.0.1 #125

Closed
Bagu opened this issue Jun 3, 2019 · 13 comments

Comments

Projects
None yet
3 participants
@Bagu
Copy link

commented Jun 3, 2019

Hello,

Maybe related with this : #94
But not sure.

After upgrading from 1.1.7 to 2.0.1 without any other change, i receive this errors :
[Sat Jun 01 18:02:11.467856 2019] [ssl:error] [pid 4676:tid 664] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Apache Managed Domain Fallback / issuer: CN=Apache Managed Domain Fallback / serial: 67AB5A455D2E5289FE4EFBD707CB73FA361D88C7 / notbefore: May 29 19:48:11 2019 GMT / notafter: Jun 12 19:48:11 2019 GMT] [Sat Jun 01 18:02:11.467856 2019] [ssl:error] [pid 4676:tid 664] AH02604: Unable to configure certificate hyze.fr:443:0 for stapling

Here is my httpd-md.conf :
`LogLevel warn md:info ssl:error

Container for directives applied to the same managed domains

MDCertificateAgreement https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf

which ACME challenge types shall be used

#MDCAChallenges tls-sni-01 http-01
MDCAChallenges http-01

MDRequireHttps permanent

MDomain hyze.fr blog.hyze.fr forum.hyze.fr
MDomain mch44.fr www.mch44.fr
MDomain bagu.fr www.bagu.fr dolibarr.bagu.fr webmail.bagu.fr autoconfig.bagu.fr
MDomain bagu.biz www.bagu.biz webmail.bagu.biz autoconfig.bagu.biz blog.bagu.biz genealogie.bagu.biz isabelle.bagu.biz`

And i have set this to httpd-ssl.conf :
# OCSP Stapling, only in httpd 2.3.3 and later SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off MDMustStaple on

Other domains don't trow any error.

Do you have any idea about why this happen ?

@icing

This comment has been minimized.

Copy link
Owner

commented Jun 3, 2019

The log entry Unable to configure certificate hyze.fr:443:0 for stapling is unfortunately happening when a fallback certificate is used. I should make a fix in mod_ssl in the future to avoid this. However, even though an error is logged, the server will work through this.

The question here is why there was not valid certificate already for hyze.fr. You say that you migrated from mod_md v1.1.7 to v2.0.1 and if there was a LetsEncrypt certificate for hyze.frearlier, the new version of mod_md should just have continued using it. As it seems to have happened for other domains.

So, I'd like to verify:

  • did you already have a mod_md ceritificate for hyze.fr before upgrading the version?
  • I notice that hyze.fr is hosted by cloudflare. If you had an LetsEncrypt certificate before, was this obtained in the same cloudflare setup that you have now?
@Bagu

This comment has been minimized.

Copy link
Author

commented Jun 3, 2019

Hello,

  1. Yes, i already have a mod_md certificate for hyze.fr
  2. But I recently changed my cloudflare account for this domain

In fact, the ownership of this domain was transmitted to me very recently, and I did the transfer shortly before the migration to version 2.0.1 of mod_md.

@icing

This comment has been minimized.

Copy link
Owner

commented Jun 3, 2019

If you enable the server-status handler somewhere, (see documentation and open it in your browser, it will list also all Managed Domains.

This would be interesting to see. If you do not like to share that, you can email me at stefan at eissing.org.

I presume that there is some mixup with mod_md, Let's Encrypt and the cloudflare setup. If cloudflare redirects your domains to its CDN (looks like it to me), and your server runs "behind" them, it will not necessarily see the challenge verifications sent by Lets Encrypt.

Also, if you raise the log level via

  LogLevel md:trace2

the error log should state pretty verbose what is going with that domain. Since logs are often sensitive, you could mail me that to the same address. Thanks!

@Bagu

This comment has been minimized.

Copy link
Author

commented Jun 3, 2019

Here is the result for managed domains :

Name Domains Status Valid Expires Renew Configuration Renewal
bagu.biz bagu.biz www.bagu.biz webmail.bagu.biz autoconfig.bagu.biz blog.bagu.biz genealogie.bagu.biz isabelle.bagu.biz ok 2019-05-31 2019-08-29 auto must-staple renew-at[33%] ca=[letsencrypt(v1)] contacts=[mailto:xxx@xxx.xx]  
bagu.fr bagu.fr www.bagu.fr dolibarr.bagu.fr webmail.bagu.fr autoconfig.bagu.fr ok 2019-05-31 2019-08-29 auto must-staple renew-at[33%] ca=[letsencrypt(v1)] contacts=[mailto:xxx@xxx.xx]  
blog.hyze.fr hyze.fr blog.hyze.fr forum.hyze.fr ok 2019-05-31 2019-08-29 auto must-staple renew-at[33%] ca=[letsencrypt(v1)] contacts=[mailto:xxx@xxx.xx]  
mch44.fr mch44.fr www.mch44.fr ok 2019-05-31 2019-08-29 auto must-staple renew-at[33%] ca=[letsencrypt(v1)] contacts=[mailto:xxx@xxx.xx]

And the logs (nothing really sensitive) :
[Mon Jun 03 14:27:54.942132 2019] [md:debug] [pid 6496:tid 644] mod_md.c(881): AH10076: hyze.fr: manages server hyze.fr [Mon Jun 03 14:27:54.942132 2019] [md:debug] [pid 6496:tid 644] mod_md.c(933): AH10113: md_get_certificate called for vhost hyze.fr. [Mon Jun 03 14:27:54.943131 2019] [md:debug] [pid 6496:tid 644] mod_md.c(994): AH10116: hyze.fr: providing fallback certificate for server hyze.fr [Mon Jun 03 14:27:54.943131 2019] [ssl:warn] [pid 6496:tid 644] AH10085: Init: hyze.fr:443 will respond with '503 Service Unavailable' for now. This host is part of a Managed Domain, but no SSL certificate is available (yet). [Mon Jun 03 14:27:54.943131 2019] [ssl:error] [pid 6496:tid 644] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Apache Managed Domain Fallback / issuer: CN=Apache Managed Domain Fallback / serial: 67AB5A455D2E5289FE4EFBD707CB73FA361D88C7 / notbefore: May 29 19:48:11 2019 GMT / notafter: Jun 12 19:48:11 2019 GMT] [Mon Jun 03 14:27:54.943131 2019] [ssl:error] [pid 6496:tid 644] AH02604: Unable to configure certificate hyze.fr:443:0 for stapling [Mon Jun 03 14:27:54.992116 2019] [md:debug] [pid 6496:tid 644] mod_md.c(881): AH10076: blog.hyze.fr: manages server hyze.fr [Mon Jun 03 14:27:54.992116 2019] [md:debug] [pid 6496:tid 644] mod_md.c(933): AH10113: md_get_certificate called for vhost hyze.fr. [Mon Jun 03 14:27:54.992116 2019] [md:debug] [pid 6496:tid 644] mod_md.c(1000): AH10077: blog.hyze.fr[state=2]: providing certificate for server hyze.fr [Mon Jun 03 14:27:55.400734 2019] [md:debug] [pid 9376:tid 576] mod_md.c(881): AH10076: hyze.fr: manages server hyze.fr [Mon Jun 03 14:27:55.400734 2019] [md:debug] [pid 9376:tid 576] mod_md.c(933): AH10113: md_get_certificate called for vhost hyze.fr. [Mon Jun 03 14:27:55.400734 2019] [md:debug] [pid 9376:tid 576] mod_md.c(994): AH10116: hyze.fr: providing fallback certificate for server hyze.fr [Mon Jun 03 14:27:55.400734 2019] [ssl:warn] [pid 9376:tid 576] AH10085: Init: hyze.fr:443 will respond with '503 Service Unavailable' for now. This host is part of a Managed Domain, but no SSL certificate is available (yet). [Mon Jun 03 14:27:55.400734 2019] [ssl:error] [pid 9376:tid 576] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=Apache Managed Domain Fallback / issuer: CN=Apache Managed Domain Fallback / serial: 67AB5A455D2E5289FE4EFBD707CB73FA361D88C7 / notbefore: May 29 19:48:11 2019 GMT / notafter: Jun 12 19:48:11 2019 GMT] [Mon Jun 03 14:27:55.400734 2019] [ssl:error] [pid 9376:tid 576] AH02604: Unable to configure certificate hyze.fr:443:0 for stapling [Mon Jun 03 14:27:55.446693 2019] [md:debug] [pid 9376:tid 576] mod_md.c(881): AH10076: blog.hyze.fr: manages server hyze.fr [Mon Jun 03 14:27:55.446693 2019] [md:debug] [pid 9376:tid 576] mod_md.c(933): AH10113: md_get_certificate called for vhost hyze.fr. [Mon Jun 03 14:27:55.446693 2019] [md:debug] [pid 9376:tid 576] mod_md.c(1000): AH10077: blog.hyze.fr[state=2]: providing certificate for server hyze.fr

@JBlond

This comment has been minimized.

Copy link

commented Jun 3, 2019

In the old days if was because of the missing CA cert. Do you use the fullchain cert?

SSLCertificateFile conf/certs/fullchain.pem     
SSLCertificateKeyFile conf/certs/privkey.pem

@icing

This comment has been minimized.

Copy link
Owner

commented Jun 3, 2019

Ah, thanks. That helped.

The problem is that I tried to do less in v2.0.x during startup. Problem is that name changes were no longer detected that way. I bet you do not have a directory md/domains/hyze.fr/ in your filesystem, but forum.hyze.fr or the blog.hyze.fr one.

No need to change anything, I am just making a v2.0.2 that reverts to the old initialization and that should make the error go away. I am thinking about doing an auto-rename in the store, but that may come in a later version.

Next release soon.

icing added a commit that referenced this issue Jun 3, 2019

* Fixing configuration startup (e.g. dry run) to sync with the store…
… again. This let's

   us find renamed MDs and use its correct paths. With wrong paths, mod_ssl gets unhappy
   and logs errors (see #125).
@icing

This comment has been minimized.

Copy link
Owner

commented Jun 3, 2019

Please check if v2.0.2 resolves your issue.

@Bagu

This comment has been minimized.

Copy link
Author

commented Jun 3, 2019

Yes, i have blog.hyze.fr and hyze.fr under md/domains/

I need the nono303 build to do this ;)
I'm under windows x64.

@JBlond I don't use fullchain cert ;)

@icing

This comment has been minimized.

Copy link
Owner

commented Jun 3, 2019

Oh no! Not the @nono303! ;-)

@Bagu

This comment has been minimized.

Copy link
Author

commented Jun 3, 2019

I can't do the test because of this :
[Mon Jun 03 17:03:26.176528 2019] [md:trace1] [pid 7880:tid 2500] md_acme.c(331): response: 429
[Mon Jun 03 17:03:26.176528 2019] [md:warn] [pid 7880:tid 2500] (70013)Missing parameter for the specified command line option: acme problem urn:acme:error:rateLimited: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

@icing

This comment has been minimized.

Copy link
Owner

commented Jun 4, 2019

Which tests? All you certificates were valid until August! Did you remove them every time? There is no need to do that, you know?

As you found out, if you do that too often, LE does rate limit you. This limit lasts for a week, but with a sliding window. So when the first attempt is a week old, it gets deducted from your limit.

@Bagu

This comment has been minimized.

Copy link
Author

commented Jun 11, 2019

the v2.0.3 seem to work fine, no error for the moment.

Thanks a lot

@icing

This comment has been minimized.

Copy link
Owner

commented Jun 11, 2019

:-D

@icing icing closed this Jun 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.