TLS handshake error for API calls

[kristian]

I'm about to go crazy over this error that has surfaced recently, possibly after an update of something. I have an ansible playbook that does calls to the DA API, but it is failing on only *some* of my servers with the following error:

Status code was -1 and not [200]: Request failed: <urlopen error [SSL: WRONG_CURVE] wrong curve (_ssl.c:720)>

When running directadmin in debug mode (b8000), this is all that is logged:

2021/07/15 15:27:54 http: TLS handshake error from <redacted server ip>:41490: remote error: tls: error decoding message

Since this is running via ansible, the API call is initiated on the server itself, connecting to its own server hostname.

I've restarted directadmin, I've compared supported cipher lists from openssl, I've compared directadmin.conf, and everything is the same. Other API calls from other scripts seem to work, so this appears to be only an issue with the connections done from the ansible tasks, which is running on the python3 interpreter. The servers are all Debian 9.

I hope someone has suggestions on how to further troubleshoot this, because at the moment I am stuck..

 

[kristian]

Looks like the cause of this is that on the failing servers, the Let's Encrypt certificate for the hostname is a Public Key Algorithm: id-ecPublicKey, while on the working servers, it's a Public Key Algorithm: rsaEncryption.

I guess this is a new default cipher for renewals, but unfortunately it isn't easily supported by Python 3 on Debian 9. Is there a way to force the letsencrypt.sh script to create certificates using RSA? I see that the key size can be passed as an argument, and the logic would then cause it to use RSA, but since this script is called from somewhere I don't know, I'm not sure how to affect the arguments passed to it.

Anyone know where I can change this behaviour?

 

[cjd]

Is it possible to upgrade your Python version to fix the problem? There is an un-official repo that may help:

Unofficial Python backports for Debian

I haven't fully checked it out, but could be a solution till you upgrade the OS.

 

[kristian]

I prefer to avoid third party repositories as much as possible. Upgrading to Debian 10 is planned to happen soon(ish) though. I just tested the same operation on an already-upgraded Debian 10 server with an EC certificate, and it works fine there. So at least I've verified that this is a python problem only on Debian 9.

Also found this reported python issue, with some information: https://bugs.python.org/issue31809

 

[cjd]

Ahh ok, ya I only use them as a last resort, i try to stick to backports if I really need it (otherwise compile it myself), i think I saw someone had a work around in that link if you set it explicitly they could get it to work. (Only looked quickly. Was kind of interested though as I still have 3 Debian 9 servers left to upgrade.)

 

[Richard G]

Can this be related to this issue?

exim issue diffie hellman

Hi I have noticed an issue with exim when updated the exim configuration files via custombuild via ./build exim_conf. A new exim parameter 'tls_dhparam = /etc/exim_dh.pem' was added and it causes issues for us. When this paramter is active exim loses 2 ciphers...

forum.directadmin.com

Suddenly 2 DHE-RSA ciphers missing again which should be present?

 

[kristian]

Doesn't look related. I'm not sure what caused the certificate to have changed the default. Could be an update in the letsencrypt.sh script perhaps.

 

[ikkeben]

Doesn't look related. I'm not sure what caused the certificate to have changed the default. Could be an update in the letsencrypt.sh script perhaps.

This one you mean but can't find the older version to see difference.?

http://files1.directadmin.com/services/all/letsencrypt.sh

I did had problem on fresh installed server to get certs on domains on day after domains and server installed ( so no no dns delay while did resolve), and did see then update (again) ( not sure the same) letsencrypt, did al that twice with the directadmin - p and all rebuild and rewrites, after that the LE certs succeeded i made a post here in forum,

Not quite related, but if change letsencrypt, maybe some more things on forum could be related to that.

Maybe the LE script combi with the config setting in Directadmin GUI when generating / making a letsencrypt for which keysize bit is here the thing to look at?

( don't know also which parts dovecot / exim is using there for the separate domains, the CERT for that domain or the ond from HOST /Hostname. ? )

But then how do choose the settings for this in generating the LE for hostname if didn't find that in the HELP and docs only bit size ( not celar if you can put there 2048, 4096, or also ec-384? or that i had before 3072 while is not in dropdown in GUI DA. So if defaults are changed then while you did have own value before is ????

Or the CERT TYPE there ?

This help topics:

https://help.directadmin.com/item.php?id=645

https://help.directadmin.com/item.php?id=629