getssl
getssl copied to clipboard
Failed download certificate not detected.
Last night one of my certficates on a webserver was renewed. In the last step (downloading the certficate) it went wrong due to a busy webserver at Let's Encrypt. This was not detected by getssl, I presume the code from Let's Encrypt was not 500 but 503, so the error was saved as .crt. Resulting in a crash of apache at our webserver, so all sites went down due to a buggy certificate.
Solution: Just add a final check (like openssl x509 -in <new_crt> -text -noout) between cert_archive and cert_install. In that case the bad certficate is still in the archive and checks can be done afterwards. Alternative: raise an error if http status code from Let's Encrypt is not 200
Log from getssl:
Verification completed, obtaining certificate.
Requesting Finalize Link
Requesting Order Link
Requesting certificate
Certificate saved in /root/.getssl/**mydomain**/**mydomain**.crt
copying domain certificate to /usr/local/nginx/conf/letsencrypt/**mydomain**.crt
copying private key to /usr/local/nginx/conf/letsencrypt/**mydomain**.key
copying CA certificate to /usr/local/nginx/conf/letsencrypt/chain.crt
copying full chain to /usr/local/nginx/conf/letsencrypt/**mydomain**.bundle
cat /usr/local/nginx/conf/letsencrypt/mydomain.crt
{"type": "urn:ietf:params:acme:error:rateLimited", "detail": "Service busy; retry later."}
Apache logs where it went down:
AH02561: Failed to configure certificate guntherneefs.be:443:0, check /usr/local/nginx/conf/letsencrypt/**mydomain**.crt
SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
SSL Library Error: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
AH00020: Configuration Failed, exiting