Windows 7 chrome let’s encrypt problems

It works... it works... Thanks so much :)
Party time!

adult-party-header-new-1280x416.jpg
 
@sufiyanshaikh yes, if /root/.zerossl file is present all subsequent certificate operations will use ZeroSSL instead of LetsEncrypt (renewal, new certs, revocation, etc.). If the file is removed it will start using LetsEncrypt again.

@system-admin glad to hear that. Before your last message I have already started a reply stating that it MUST work with ZeroSSL ? and the issue is probably that LetsEncrypt certs are still present.

OK we will start working on making LetsEncrypt vs ZeroSSL choice a proper DA feature. Right now it is not user-friendly enough. Hopefully our changes will get accepted into upstream lego repo and we will not have to maintain separate fork.
 
zeroSSL worked for me on a VPS with Apache+Nginx as a webserver but not on a second machine with OLS.
I use CPGuard on both machines but on the second machine, the WAF module does not work anymore with the following error:
021-10-03 05:17:51.718165 [ERROR] [126589] [Module:mod_security]setSecRule(type 2) /usr/local/lsws/conf/httpd-modsecurity.conf failed, ret -1, reason: 'Rules error. File: https://rules.malware.expert/download.php?rules=generic&extra=cpgrbl,cpgrecaptcha,webshell,scanner. Line: 1. Column: 0.
SecRule FILES_TMPNAMES "@inspectFile /etc/cpguard/scripts/cpgModsecScan.php" "phase:2,t:none,block,msg:'cPGuard Upload Scanner bad uploaded file',id:'5583453'"
Include /etc/cpguard/cpguard_modsec101.conf
- Failed to download: SSL peer certificate or SSH remote key was not OK'.

It seems that the OLS package doesn't detect the last CA bundle update yet, how to fix it?
 
fln said:
@sufiyanshaikh yes, if /root/.zerossl file is present all subsequent certificate operations will use ZeroSSL instead of LetsEncrypt (renewal, new certs, revocation, etc.). If the file is removed it will start using LetsEncrypt again.

@system-admin glad to hear that. Before your last message I have already started a reply stating that it MUST work with ZeroSSL ? and the issue is probably that LetsEncrypt certs are still present.

OK we will start working on making LetsEncrypt vs ZeroSSL choice a proper DA feature. Right now it is not user-friendly enough. Hopefully our changes will get accepted into upstream lego repo and we will not have to maintain separate fork.
Click to expand...

Thanks so much @fln . I really appreciate your help :)
Yes, it would be great idea if it is implemented in GUI and use has choice to select the provider!
 
@copernic I think this is not related to ZeroSSL certs. From the web server perspective LetsEncrypt and ZeroSSL are identical. Both has main cert plus chain certs. And we have not changed how web server configs are generated, only the tool that receives certs from CA. It would be great to keep this thread only related to issues and solutions related to the LetsEncrypt root cert expiration.

If you think it was really caused by the switch from LE to ZeroSSL please try removing the /root/.zerossl file and see if the system is working fine again.

If this is not related to LE/ZeroSSL please start a new thread.
 
ikkeben said:
Is it possible to have both on same server with DA?

So Users can choose?
Click to expand...
I agree. Now that DirectAdmin supports both issuers, it would be nice to have a per-domain setting so a user can choose between the two for each main domain.
 
I have read this topic and i have also problems with my Let's Encrypt certificates on Centos 7 and OpenSSL 1.0.2.
It is not only affected by old operating systems like Windows 7 (booh ?) or old browsers, but also with PHP's file_get_contents()

Now i will solve this problem...
I've read in this topic that i can use the command: yum install ca-certificates
Is this the only thing? Or is there something more that needs to be done on the OpenSSL or Let's Encrypt side of my server?
 
Last edited:
@Aar Here is some additional info about the issue with OpenSSL and Centos 7, it would be good to start planning for an OS upgrade to a recent supported OS, as you will probably run into more issues as time goes on.

Old Let's Encrypt root certificate expiration and OpenSSL 1.0.2

The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will...
www.openssl.org www.openssl.org

blog.devgenius.io

Let’s Encrypt change affects OpenSSL 1.0.x and CentOS 7

Default certificate chain to include an expired root certificate
blog.devgenius.io blog.devgenius.io
 
Oké, @cjd thanks. I will try it.

And is there something more that needs to be done on the OpenSSL or Let's Encrypt side of my server? And is the change directly active over the existing LE certificates on my server?

And yes, i'm going soon upgrade my server with a new OS. Maybe CentOS 8 of a fork.
 
You must log in or register to reply here.
Back
Top