sufiyanshaikh
Verified User
- Joined
- Aug 14, 2019
- Messages
- 169
Windows 7 chrome let’s encrypt problems
- Thread starter system-admin
- Start date
- Joined
- Aug 30, 2021
- Messages
- 557
thanks @sufiyanshaikh, I have edited original post. Have you tried switching to ZeroSSL?
system-admin
Verified User
- Joined
- Aug 1, 2019
- Messages
- 60
sufiyanshaikh
Verified User
- Joined
- Aug 14, 2019
- Messages
- 169
system-admin
Verified User
- Joined
- Aug 1, 2019
- Messages
- 60
It works... it works... Thanks so much 
Party time!
Party time!
- Joined
- Aug 30, 2021
- Messages
- 557
@sufiyanshaikh yes, if
@system-admin glad to hear that. Before your last message I have already started a reply stating that it MUST work with ZeroSSL
and the issue is probably that LetsEncrypt certs are still present.
OK we will start working on making LetsEncrypt vs ZeroSSL choice a proper DA feature. Right now it is not user-friendly enough. Hopefully our changes will get accepted into upstream lego repo and we will not have to maintain separate fork.
/root/.zerossl file is present all subsequent certificate operations will use ZeroSSL instead of LetsEncrypt (renewal, new certs, revocation, etc.). If the file is removed it will start using LetsEncrypt again.@system-admin glad to hear that. Before your last message I have already started a reply stating that it MUST work with ZeroSSL
and the issue is probably that LetsEncrypt certs are still present.OK we will start working on making LetsEncrypt vs ZeroSSL choice a proper DA feature. Right now it is not user-friendly enough. Hopefully our changes will get accepted into upstream lego repo and we will not have to maintain separate fork.
zeroSSL worked for me on a VPS with Apache+Nginx as a webserver but not on a second machine with OLS.
I use CPGuard on both machines but on the second machine, the WAF module does not work anymore with the following error:
021-10-03 05:17:51.718165 [ERROR] [126589] [Module:mod_security]setSecRule(type 2) /usr/local/lsws/conf/httpd-modsecurity.conf failed, ret -1, reason: 'Rules error. File: https://rules.malware.expert/download.php?rules=generic&extra=cpgrbl,cpgrecaptcha,webshell,scanner. Line: 1. Column: 0.
SecRule FILES_TMPNAMES "@inspectFile /etc/cpguard/scripts/cpgModsecScan.php" "phase:2,t:none,block,msg:'cPGuard Upload Scanner bad uploaded file',id:'5583453'"
Include /etc/cpguard/cpguard_modsec101.conf
- Failed to download: SSL peer certificate or SSH remote key was not OK'.
It seems that the OLS package doesn't detect the last CA bundle update yet, how to fix it?
I use CPGuard on both machines but on the second machine, the WAF module does not work anymore with the following error:
021-10-03 05:17:51.718165 [ERROR] [126589] [Module:mod_security]setSecRule(type 2) /usr/local/lsws/conf/httpd-modsecurity.conf failed, ret -1, reason: 'Rules error. File: https://rules.malware.expert/download.php?rules=generic&extra=cpgrbl,cpgrecaptcha,webshell,scanner. Line: 1. Column: 0.
SecRule FILES_TMPNAMES "@inspectFile /etc/cpguard/scripts/cpgModsecScan.php" "phase:2,t:none,block,msg:'cPGuard Upload Scanner bad uploaded file',id:'5583453'"
Include /etc/cpguard/cpguard_modsec101.conf
- Failed to download: SSL peer certificate or SSH remote key was not OK'.
It seems that the OLS package doesn't detect the last CA bundle update yet, how to fix it?
system-admin
Verified User
- Joined
- Aug 1, 2019
- Messages
- 60
@sufiyanshaikh yes, if/root/.zerosslfile is present all subsequent certificate operations will use ZeroSSL instead of LetsEncrypt (renewal, new certs, revocation, etc.). If the file is removed it will start using LetsEncrypt again.
@system-admin glad to hear that. Before your last message I have already started a reply stating that it MUST work with ZeroSSL
OK we will start working on making LetsEncrypt vs ZeroSSL choice a proper DA feature. Right now it is not user-friendly enough. Hopefully our changes will get accepted into upstream lego repo and we will not have to maintain separate fork.
Thanks so much @fln . I really appreciate your help
Yes, it would be great idea if it is implemented in GUI and use has choice to select the provider!
- Joined
- Aug 30, 2021
- Messages
- 557
@copernic I think this is not related to ZeroSSL certs. From the web server perspective LetsEncrypt and ZeroSSL are identical. Both has main cert plus chain certs. And we have not changed how web server configs are generated, only the tool that receives certs from CA. It would be great to keep this thread only related to issues and solutions related to the LetsEncrypt root cert expiration.
If you think it was really caused by the switch from LE to ZeroSSL please try removing the
If this is not related to LE/ZeroSSL please start a new thread.
If you think it was really caused by the switch from LE to ZeroSSL please try removing the
/root/.zerossl file and see if the system is working fine again.If this is not related to LE/ZeroSSL please start a new thread.
ikkeben
Verified User
ACME Documentation - ZeroSSL
Learn how to integrate your ZeroSSL account with one of many supported SSL ACME clients, using your API key or EAB credentials.
zerossl.com
ikkeben
Verified User
ACME Documentation - ZeroSSL
Learn how to integrate your ZeroSSL account with one of many supported SSL ACME clients, using your API key or EAB credentials.
This page says Connect via API Access Key or Connect via EAB Credentials => we need account => free 3 SSL that is how I understand it or it is 3 free manual and unlimited ACME
Richard G
Verified User
Only ACME is unlimited free, the others are 3 max. free.
sufiyanshaikh
Verified User
- Joined
- Aug 14, 2019
- Messages
- 169
Follow this: https://forum.directadmin.com/threa...t’s-encrypt-problems.64652/page-2#post-336508I am using CentOS 6 and get the same issue,
I agree. Now that DirectAdmin supports both issuers, it would be nice to have a per-domain setting so a user can choose between the two for each main domain.
Aar
Verified User
I have read this topic and i have also problems with my Let's Encrypt certificates on Centos 7 and OpenSSL 1.0.2.
It is not only affected by old operating systems like Windows 7 (booh
) or old browsers, but also with PHP's file_get_contents()
Now i will solve this problem...
I've read in this topic that i can use the command: yum install ca-certificates
Is this the only thing? Or is there something more that needs to be done on the OpenSSL or Let's Encrypt side of my server?
It is not only affected by old operating systems like Windows 7 (booh
) or old browsers, but also with PHP's file_get_contents()Now i will solve this problem...
I've read in this topic that i can use the command: yum install ca-certificates
Is this the only thing? Or is there something more that needs to be done on the OpenSSL or Let's Encrypt side of my server?
Last edited:
@Aar Here is some additional info about the issue with OpenSSL and Centos 7, it would be good to start planning for an OS upgrade to a recent supported OS, as you will probably run into more issues as time goes on.
www.openssl.org
blog.devgenius.io
Old Let's Encrypt Root Certificate Expiration and OpenSSL 1.0.2 - OpenSSL Blog
The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate …
www.openssl.org
Let’s Encrypt change affects OpenSSL 1.0.x and CentOS 7
Default certificate chain to include an expired root certificate
blog.devgenius.io
Aar
Verified User
Oké, @cjd thanks. I will try it.
And is there something more that needs to be done on the OpenSSL or Let's Encrypt side of my server? And is the change directly active over the existing LE certificates on my server?
And yes, i'm going soon upgrade my server with a new OS. Maybe CentOS 8 of a fork.
And is there something more that needs to be done on the OpenSSL or Let's Encrypt side of my server? And is the change directly active over the existing LE certificates on my server?
And yes, i'm going soon upgrade my server with a new OS. Maybe CentOS 8 of a fork.